GitLab Releases Security Updates: XSS and Authorization Bypass Flaws Patched

GitLab has released security updates for its Community Edition (CE) and Enterprise Edition (EE), addressing multiple vulnerabilities that could allow attackers to perform cross-site scripting (XSS) attacks and bypass group-level restrictions.

The most severe of the reported vulnerabilities, CVE-2025-6948, is a cross-site scripting (XSS) issue with a CVSS score of 8.7. This flaw affects all versions from 17.11 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2. According to GitLab, the vulnerability “could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content.” This type of attack could compromise user sessions, alter project data, or conduct phishing campaigns.

CVE-2025-3396 is an improper authorization flaw that affects GitLab CE/EE versions from 13.3 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2. With a CVSS score of 4.3, this vulnerability could allow authenticated project owners to bypass group-level forking restrictions by manipulating GitLab’s API.

CVE-2025-4972 impacts only GitLab EE and holds a CVSS score of 2.7. In this case, authenticated users with group invitation privileges could bypass administrative restrictions using crafted API requests. Impacted versions include 18.0 before 18.0.4 and 18.1 before 18.1.2.

Another vulnerability exclusive to GitLab EE, CVE-2025-6168, was found in versions 18.0 before 18.0.4 and 18.1 before 18.1.2. It also carries a CVSS score of 2.7. GitLab noted that maintainers could invite users to restricted groups by sending crafted API requests, circumventing administrative access policies.

In addition to the above application-level fixes, GitLab has also upgraded its bundled rsync utility to version 3.4.1, addressing vulnerabilities CVE-2024-12084 and CVE-2024-12088. The organization urges all self-managed GitLab administrators to update to versions 18.1.2, 18.0.4, or 17.11.6 immediately.

“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible,” GitLab stated in its advisory.

Related Posts:

• GitLab Releases Security Update to Patch XSS and Account Takeover Flaws
• Urgent GitLab Security Alert: High-Severity Flaws Allow Account Takeover & Code Injection!
• GitLab Releases Critical Security Patch for CVE-2024-45409 (CVSS 10) Vulnerability

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.