High-Severity GitLab XSS Flaw (CVE-2025-12716) Risks Session Hijack via Malicious Wiki Pages

In a critical mid-week security sprint, GitLab has rolled out a series of important updates for its Community Edition (CE) and Enterprise Edition (EE), squashing a high-severity bug that could allow attackers to hijack user sessions through malicious wiki pages. The release, which covers versions 18.6.2, 18.5.4, and 18.4.6, addresses multiple vulnerabilities ranging from Cross-Site Scripting (XSS) to information leaks.

Administrators of self-managed instances are being urged to “upgrade to the latest version as soon as possible” to close these security gaps.

The headliner of this patch batch is CVE-2025-12716, a high-severity XSS vulnerability with a CVSS score of 8.7. This flaw turns the collaborative power of the Wiki feature against its users.

According to the advisory, the vulnerability exists “under certain conditions” where an authenticated user could create wiki pages containing malicious content. If viewed by another user, this content could trick the system into “performing unauthorized actions on behalf of another user”. Essentially, an attacker could weaponize a documentation page to silently execute commands with the victim’s privileges.

This issue affects GitLab CE/EE versions starting from 18.4 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2.

The update also creates a shield against several “injection” style attacks where the platform failed to properly sanitize user input:

• CVE-2025-8405: A security flaw was found in how vulnerability reports are handled. Improper encoding allowed authenticated users to inject “malicious HTML into vulnerability” reports, potentially leading to unauthorized actions.
• CVE-2025-12734: In a similar vein, the titles of merge requests were found to be susceptible to HTML injection. This flaw could allow an attacker to “leak sensitive information from specifically crafted merge request titles”.

CVE-2025-13978 (CVSS 4.3) is an information disclosure flaw where error messages were a bit too helpful. The advisory notes that an authenticated user could “discover the names of private projects they do not have access through API requests” simply by analyzing the error responses .

Additionally, a separate issue involving GraphQL queries was patched in GitLab EE. This vulnerability allowed users to “disclose sensitive information from private projects” by executing specifically crafted queries, a reminder of the complexities involved in securing modern API endpoints.

GitLab.com and GitLab Dedicated environments have already been patched, but self-managed instances remain at risk until updated. Security teams should prioritize deploying 18.6.2, 18.5.4, or 18.4.6 immediately.

Related Posts:

• GitLab Patches Vulnerabilities, Users Urged to Update Immediately
• GitLab Fixes High-Severity DoS Flaws: Unauthenticated Attackers Could Crash Instances
• GitLab Releases Security Updates: XSS and Authorization Bypass Flaws Patched
• GitLab Releases Security Updates: XSS and Authorization Bypass Flaws Patched