Ddos 
GitLab has issued a security advisory urging users to upgrade their self-managed GitLab installations immediately. The advisory highlights the release of versions 17.11.1, 17.10.5, and 17.9.7 for both GitLab Community Edition (CE) and Enterprise Edition (EE) to address “important bug and security fixes.”
High-Severity XSS and Account Takeover Risks
The advisory details several vulnerabilities, including multiple high-severity Cross-Site Scripting (XSS) issues within the Maven Dependency Proxy. These flaws could allow for “cross-site-scripting attack and content security policy bypass in a user’s browser under specific conditions,” affecting versions from 16.6 prior to 17.9.7, 17.10 prior to 17.10.5, and 17.11 prior to 17.11.1.
GitLab has assigned CVE-2025-1763 and CVE-2025-2443 to these XSS vulnerabilities, both carrying a CVSS score of 8.7, indicating a high level of severity. The discovery of these vulnerabilities is credited to joaxcar through GitLab’s HackerOne bug bounty program.
Furthermore, a Network Error Logging (NEL) Header Injection vulnerability in the Maven Dependency Proxy has been identified, posing a significant risk of “track[ing] users’ browsing activities, potentially leading to full account take-over”. This vulnerability, tracked as CVE-2025-1908, has a CVSS score of 7.7.
Denial-of-Service and Unauthorized Access
In addition to the XSS and account takeover risks, the advisory also addresses a medium-severity Denial of Service (DoS) vulnerability “affecting service availability via issue preview”. This issue, assigned CVE-2025-0639, affects versions from 16.7 prior to 17.9.7, 17.10 prior to 17.10.5, and 17.11 prior to 17.11.1. Sigitsetiawansss is credited with reporting this vulnerability.
Finally, an access control issue could lead to “unauthorized access to branch names when Repository assets are disabled in the project”. This vulnerability, tracked as CVE-2024-12244, affects versions from 17.7 prior to 17.9.7, 17.10 prior to 17.10.5, and 17.11 prior to 17.11.1. Mateuszek reported this issue through the HackerOne program.
Immediate Upgrade Recommended
GitLab strongly advises that “all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible”. Users should upgrade to versions 17.11.1, 17.10.5, or 17.9.7 to mitigate these security risks.
Donate