Unrated severityNVD Advisory· Published Mar 3, 2025· Updated Mar 3, 2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
CVE-2025-0475
Description
An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1. A proxy feature could potentially allow unintended content rendering leading to XSS under specific circumstances.
Affected products
33cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*range: 15.10
- (no CPE)range: <17.9.1 && >=15.10 || (<17.8.4 && >=17.8) || (<17.7.6 && >=15.10)
- osv-coords31 versionspkg:apk/chainguard/gitlab-docker-machine-17.8pkg:apk/chainguard/gitlab-docker-machine-17.9pkg:apk/chainguard/gitlab-docker-machine-fips-17.8pkg:apk/chainguard/gitlab-docker-machine-fips-17.9pkg:apk/chainguard/gitlab-runner-17.8pkg:apk/chainguard/gitlab-runner-17.9pkg:apk/chainguard/gitlab-runner-fips-17.8pkg:apk/chainguard/gitlab-runner-fips-17.9pkg:apk/chainguard/gitlab-runner-helper-17.8pkg:apk/chainguard/gitlab-runner-helper-17.9pkg:apk/chainguard/gitlab-runner-helper-compat-17.8pkg:apk/chainguard/gitlab-runner-helper-compat-17.9pkg:apk/chainguard/gitlab-runner-helper-compat-fips-17.8pkg:apk/chainguard/gitlab-runner-helper-compat-fips-17.9pkg:apk/chainguard/gitlab-runner-helper-fips-17.8pkg:apk/chainguard/gitlab-runner-helper-fips-17.9pkg:apk/chainguard/gitlab-runner-helper-oci-entrypoint-17.8pkg:apk/chainguard/gitlab-runner-helper-oci-entrypoint-17.9pkg:apk/chainguard/gitlab-runner-helper-oci-entrypoint-fips-17.8pkg:apk/chainguard/gitlab-runner-helper-oci-entrypoint-fips-17.9pkg:apk/chainguard/gitlab-runner-oci-entrypoint-17.8pkg:apk/chainguard/gitlab-runner-oci-entrypoint-17.9pkg:apk/chainguard/gitlab-runner-oci-entrypoint-fips-17.8pkg:apk/chainguard/gitlab-runner-oci-entrypoint-fips-17.9pkg:apk/wolfi/gitlab-docker-machine-17.9pkg:apk/wolfi/gitlab-runner-17.9pkg:apk/wolfi/gitlab-runner-helper-17.9pkg:apk/wolfi/gitlab-runner-helper-compat-17.9pkg:apk/wolfi/gitlab-runner-helper-oci-entrypoint-17.9pkg:apk/wolfi/gitlab-runner-oci-entrypoint-17.9pkg:bitnami/gitlab
< 17.8.4-r0+ 30 more
- (no CPE)range: < 17.8.4-r0
- (no CPE)range: < 17.9.1-r0
- (no CPE)range: < 17.8.4-r0
- (no CPE)range: < 17.9.2-r0
- (no CPE)range: < 17.8.4-r0
- (no CPE)range: < 17.9.1-r0
- (no CPE)range: < 17.8.4-r0
- (no CPE)range: < 17.9.2-r0
- (no CPE)range: < 17.8.4-r0
- (no CPE)range: < 17.9.1-r0
- (no CPE)range: < 17.8.4-r0
- (no CPE)range: < 17.9.1-r0
- (no CPE)range: < 17.8.4-r0
- (no CPE)range: < 17.9.2-r0
- (no CPE)range: < 17.8.4-r0
- (no CPE)range: < 17.9.2-r0
- (no CPE)range: < 17.8.4-r0
- (no CPE)range: < 17.9.1-r0
- (no CPE)range: < 17.8.4-r0
- (no CPE)range: < 17.9.2-r0
- (no CPE)range: < 17.8.4-r0
- (no CPE)range: < 17.9.1-r0
- (no CPE)range: < 17.8.4-r0
- (no CPE)range: < 17.9.2-r0
- (no CPE)range: < 17.9.1-r0
- (no CPE)range: < 17.9.1-r0
- (no CPE)range: < 17.9.1-r0
- (no CPE)range: < 17.9.1-r0
- (no CPE)range: < 17.9.1-r0
- (no CPE)range: < 17.9.1-r0
- (no CPE)range: >= 15.10.0, < 17.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- hackerone.com/reports/2932309mitretechnical-descriptionexploitpermissions-required
- gitlab.com/gitlab-org/gitlab/-/issues/513142mitreissue-trackingpermissions-required
News mentions
1- GitLab Patch Release: 17.9.1, 17.8.4, 17.7.6GitLab Security Releases · Feb 26, 2025