Urgent GitLab Security Alert: High-Severity Flaws Allow Account Takeover & Code Injection!

GitLab has issued urgent security updates for its Community Edition (CE) and Enterprise Edition (EE), addressing a series of high-severity vulnerabilities that impact self-managed installations. The newly released versions—18.0.2, 17.11.4, and 17.10.8—contain critical fixes, and administrators are strongly advised to upgrade immediately.

“We strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately,” GitLab warned in its advisory.

One of the most severe vulnerabilities fixed in this release is CVE-2025-4278, an HTML injection flaw affecting the GitLab search page. Under specific conditions, attackers could inject malicious HTML content that enables account takeover. The vulnerability affects all versions of GitLab CE/EE starting with 18.0 and prior to 18.0.2.

“GitLab has remediated an issue that, under certain conditions, could have allowed a successful attacker to achieve account takeover by injecting code into the search page,” the advisory explains.

GitLab also addressed CVE-2025-2254, a cross-site scripting (XSS) vulnerability located in the snippet viewer. This flaw allowed attackers to run malicious scripts in the context of another legitimate user, potentially enabling session hijacking or data theft. The vulnerability affects GitLab CE/EE versions from 17.9 up to—but not including—17.10.8, 17.11.4, and 18.0.2.

A significant issue exclusive to GitLab Ultimate EE was also patched: CVE-2025-5121. This vulnerability could allow an authenticated attacker to inject malicious CI/CD jobs into all future pipelines of any project within an affected GitLab instance. It affects GitLab Ultimate EE versions from 17.11 before 17.11.4 and from 18.0 before 18.0.2.

GitLab has also patched several DoS vulnerabilities that could allow attackers to disrupt services:

• CVE-2025-0673: Infinite redirect loop causing memory exhaustion
• CVE-2025-1516: Unbounded webhook token names
• CVE-2025-1478: Oversized board names
• CVE-2025-5996: Malicious third-party components

Each of these flaws could be used to prevent legitimate users from accessing GitLab instances, especially in high-availability environments.

Other Notable Fixes

• CVE-2024-9512: Information disclosure via secondary node sync delays
• CVE-2025-5195: Authorization bypass revealing sensitive compliance data
• CVE-2025-5982: Group-level IP restriction bypass

Administrators should upgrade to 18.0.2, 17.11.4, or 17.10.8 immediately. These patches address vulnerabilities affecting GitLab versions going back as far as 2.1.0.

Related Posts:

• GitLab Releases Security Update to Patch XSS and Account Takeover Flaws
• Gitlab flaw allows remote attackers to take over user accounts
• GitLab Remote Command Execution Vulnerability
• GitLab Remote Code Execution Vulnerability