GitLab Patches High-Severity XSS and Authorization Flaws in Emergency Release
GitLab released versions 18.1.2, 18.0.4, and 17.11.6 on July 9, 2025, fixing four security vulnerabilities including a high-severity cross-site scripting issue (CVE-2025-6948) and three authorization bypass flaws.
GitLab has released emergency patch versions 18.1.2, 18.0.4, and 17.11.6 for both Community Edition (CE) and Enterprise Edition (EE) to address four security vulnerabilities, one of which is rated high severity. The most critical issue, tracked as CVE-2025-6948, is a cross-site scripting (XSS) vulnerability with a CVSS score of 8.7. Under certain conditions, an attacker could exploit this flaw to execute actions on behalf of legitimate users by injecting malicious content. The vulnerability affects all GitLab versions from 17.11 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2. The issue was reported by researcher yvvdwf through GitLab's HackerOne bug bounty program.
In addition to the XSS flaw, GitLab patched three improper authorization vulnerabilities. CVE-2025-3396 (CVSS 4.3) allows authenticated project owners to bypass group-level forking restrictions by manipulating API requests. This affects versions from 13.3 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2. The other two flaws, CVE-2025-4972 and CVE-2025-6168 (both CVSS 2.7), are specific to GitLab EE and involve bypassing group-level user invitation restrictions. CVE-2025-4972 can be exploited by authenticated users with invitation privileges, while CVE-2025-6168 requires authenticated maintainer access and crafted API requests. These were reported by researchers mateuszek and hunter0xp7, respectively.
GitLab also updated the bundled rsync utility to version 3.4.1, which addresses two security vulnerabilities: CVE-2024-12084 and CVE-2024-12088. While these are not directly in GitLab's code, they affect the rsync component used in GitLab installations. The patch release also includes numerous bug fixes, such as backports for the container registry, exporter updates, and fixes for flaky tests and UI issues.
GitLab strongly recommends that all self-managed installations running affected versions upgrade immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action. The company follows a policy of making vulnerability details public 30 days after the patch release to allow users time to update. This release underscores the importance of timely patching, especially for high-severity vulnerabilities that could lead to account takeover or data exposure.
The vulnerabilities were discovered through GitLab's bug bounty program on HackerOne, highlighting the value of community-driven security research. Organizations using self-managed GitLab instances should prioritize this upgrade to mitigate the risk of exploitation. As GitLab continues to expand its features, maintaining a robust patch management process is critical for enterprise security.