High-Severity GitLab XSS Flaw (CVE-2025-11224) Risks Kubernetes Proxy Session Hijacking

GitLab has released a new round of security updates for both Community Edition (CE) and Enterprise Edition (EE), addressing multiple vulnerabilities — including a high-severity flaw that could allow stored XSS attacks.

The updates impact all self-managed GitLab installations running vulnerable versions. GitLab strongly advises administrators to patch as soon as possible.

The most severe issue, tracked as CVE-2025-11224 (CVSS 7.7) remediated in this update is a cross-site scripting (XSS) vulnerability affecting GitLab’s Kubernetes proxy feature.

GitLab explains that:

“An authenticated user [could] execute stored cross-site scripting through improper input validation in the Kubernetes proxy functionality.”

If exploited, an attacker with low privileges could inject malicious JavaScript that executes for other users viewing the impacted component — potentially compromising sensitive data, authentication tokens, or administrator sessions.

The second second notable flaw — GitLab EE-exclusive — (CVE-2025-11865, CVSS 6.5) allows a user to delete Duo workflows belonging to another user.

GitLab states:

“An issue that, under certain circumstances, could have allowed a user to remove Duo flows of another user.”

This improper authorization check could lead to sabotage of authentication pipelines or internal security workflows. Though not as severe as the XSS vulnerability, this flaw opens the door for privilege abuse in large GitLab EE environments.

GitLab also fixed several medium and low-severity flaws, including:

• CVE-2025-2615 — Information disclosure via GraphQL subscriptions
• CVE-2025-7000 — Unauthorized access to confidential branch names
• CVE-2025-6945 — Prompt injection in GitLab Duo Review
• CVE-2025-11990 — Client-side path traversal to obtain CSRF tokens
• CVE-2025-6171 — Information disclosure via Packages API endpoint
• CVE-2025-7736 — Improper access control in GitLab Pages
• CVE-2025-12983 — Denial of service via nested markdown

These vulnerability was fully patched in 18.5.2, 18.4.4, and 18.3.6.

Related Posts:

• GitLab Releases Security Updates: XSS and Authorization Bypass Flaws Patched
• GitLab Patches High-Severity Flaws: Update Now to Prevent XSS and Account Takeover
• GitLab Releases Security Update to Patch XSS and Account Takeover Flaws
• Developers move to GitLab after GitHub was acquired by Microsoft
• GitLab Update: High-Severity XSS & Data Exposure Flaws Patched

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy