Do Son 
GitLab has released security updates for Community Edition (CE) and Enterprise Edition (EE), fixing multiple vulnerabilities—including high-severity cross-site scripting (XSS) issues and data exposure risks. All users running affected versions are strongly urged to upgrade to the latest releases: 18.2.1, 18.1.3, and 18.0.5.
- CVE-2025-4700 – Cross-Site Scripting in Kubernetes Proxy (CVSS 8.7)
This high-severity vulnerability affects GitLab’s Kubernetes proxy functionality. Under specific conditions, it could allow an attacker to trigger unintended content rendering in the browser and execute arbitrary JavaScript. This flaw poses a serious risk to confidentiality and integrity within affected deployments. - CVE-2025-4439 – XSS Vulnerability via Certain CDNs (CVSS 7.7)
A separate cross-site scripting issue was identified that could be exploited when GitLab instances are served through certain content delivery networks. An authenticated user might leverage this to conduct XSS attacks in specific hosting environments. - CVE-2025-7001 – Unauthorized API Access to Resource Groups (CVSS 4.3)
This medium-severity vulnerability allowed privileged users to access resource_group information via the GitLab API that should not have been accessible. While requiring authentication, it violated the principle of least privilege and could be exploited in environments where sensitive grouping logic exists. - CVE-2025-4976 – Internal Notes Exposure via GitLab Duo (CVSS 4.3)
Exclusive to GitLab Enterprise Edition, this vulnerability allowed unauthorized access to internal notes associated with GitLab Duo responses under certain edge-case scenarios. While no external user access was confirmed, the flaw had implications for confidential commentary leakage. - CVE-2025-0765 – Custom Service Desk Email Disclosure (CVSS 4.3)
This issue could have allowed an unauthorized actor to access custom email addresses associated with GitLab’s service desk functionality. The impact is limited to information disclosure, but could still aid in targeted phishing or reconnaissance. - CVE-2025-1299 – Unauthorized Access to Deployment Job Logs (CVSS 4.3)
Another access control issue was identified that allowed unauthorized users to read deployment job logs by crafting specific requests. This could result in unintended disclosure of sensitive build or deployment information.
The updated versions—18.2.1, 18.1.3, and 18.0.5—address issues that could allow attackers to compromise confidentiality, inject malicious scripts, or access restricted information. Administrators of self-managed GitLab instances are strongly advised to upgrade without delay.
Related Posts:
- GitLab Releases Security Updates: XSS and Authorization Bypass Flaws Patched
- GitLab Releases Security Update to Patch XSS and Account Takeover Flaws
- Developers move to GitLab after GitHub was acquired by Microsoft
- Urgent GitLab Security Alert: High-Severity Flaws Allow Account Takeover & Code Injection!
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce
