GitLab has rolled out new versions 17.9.2, 17.8.5, and 17.7.7 for both its Community Edition (CE) and Enterprise Edition (EE) to patch a series of security vulnerabilities. The release addresses a range of security issues, including a critical authentication bypass vulnerability.
Critical Authentication Bypass Vulnerabilities
Two of the most severe issues, tracked as CVE-2025-25291 and CVE-2025-25292, reside in the ruby-saml library, which GitLab uses for SAML single sign-on (SSO) authentication. According to the advisory, these vulnerabilities could allow an attacker with access to a valid signed SAML document from the Identity Provider (IdP) to authenticate as another valid user within the environment’s SAML IdP under certain circumstances.
The root cause of these vulnerabilities lies in how ReXML and Nokogiri parse XML, which can lead to different document structures from the same XML input. This discrepancy makes Signature Wrapping attacks possible, potentially leading to authentication bypass.
Mitigation Steps for Users Unable to Update Immediately
GitLab has provided mitigation steps for users who cannot immediately update their GitLab instances. These include:
- Enabling GitLab two-factor authentication for all user accounts.
- Disabling the SAML two-factor bypass option in GitLab.
- Requiring admin approval for automatically created new users.
It is important to note that enabling identity provider multi-factor authentication does not mitigate this vulnerability.
Additional Vulnerabilities Addressed
In addition to the critical authentication bypass, GitLab has also patched other vulnerabilities:
- CVE-2025-27407: A high-severity remote code execution vulnerability in the Ruby graphql library. This issue could be exploited via the Direct Transfer feature (which is disabled by default for self-managed GitLab instances) if an attacker-controlled authenticated user attempts to transfer a maliciously crafted project.
- Denial of Service: A medium-severity denial-of-service vulnerability (CVE-2024-13054) that could allow an attacker to cause a system reboot under certain conditions.
- Credentials Disclosure: A medium-severity issue (CVE-2024-12380) where certain user inputs in repository mirroring settings could expose sensitive authentication information.
- Denial of Service in Approval Rules: A medium-severity vulnerability (CVE-2025-1257) that could allow an attacker to cause a denial-of-service condition by manipulating specific API inputs.
- Internal Notes Disclosure: A medium-severity issue (CVE-2025-0652) that could allow unauthorized users to access confidential information intended for internal use only.
- Shell Code Injection: A low-severity issue (CVE-2024-8402) in the Google Cloud IAM integration feature that could enable a Maintainer to introduce malicious code.
- User Invitation Approval Bypass: A low-severity issue (CVE-2024-7296) that allowed a user with a custom permission to approve pending membership requests beyond the maximum number of allowed users.
Recommendations
GitLab strongly recommends that all installations running a version affected by these issues upgrade to the latest version as soon as possible. For those unable to update immediately, the provided mitigation steps should be implemented.
GitLab has acknowledged and thanked the security researchers and maintainers who reported and collaborated on resolving these vulnerabilities through their HackerOne bug bounty program.
