GitLab Patches High-Severity XSS and DoS Flaws in Emergency Release 18.4.1

GitLab has shipped emergency patch releases for its Community and Enterprise Edition platforms, addressing a total of ten security vulnerabilities across versions 18.4.1, 18.3.3, and 18.2.7. The most severe of these is CVE-2025-9642, a cross-site scripting (XSS) issue in Script Gadgets that carries a CVSS score of 8.7. Under certain conditions, an unauthenticated attacker could exploit this flaw to execute actions on behalf of other users by injecting malicious content. The vulnerability affects all GitLab instances running versions from 14.10 up to the affected releases, and was responsibly reported through GitLab's HackerOne bug bounty program by researcher joaxcar.

Two high-severity denial-of-service vulnerabilities were also patched. CVE-2025-10858 (CVSS 7.5) allows an unauthenticated attacker to render a GitLab instance unresponsive by uploading specially crafted JSON files. CVE-2025-8014 (CVSS 7.5) enables an attacker to bypass query complexity limits, leading to a denial-of-service condition. Both flaws affect all versions from 11.10 and 14.10 respectively, and were reported via the bug bounty program. These DoS issues could be weaponized to disrupt CI/CD pipelines and developer workflows, making timely patching critical for organizations relying on GitLab for software development.

Additional fixes include CVE-2025-9958 (CVSS 7.7), an information disclosure vulnerability in virtual registry configuration that could expose sensitive data to low-privileged users, and CVE-2025-7691 (CVSS 6.5), a privilege escalation flaw in GitLab EE that allows a developer with specific group management permissions to escalate their privileges. The update also addresses CVE-2025-11042 (CVSS 4.3), a denial-of-service issue in the GraphQL API via unbounded array parameters, and CVE-2025-10871 (CVSS 3.1), an improper authorization issue for Project Maintainers when assigning roles. Lower-severity issues include a DoS in GraphQL API blobSearch, incorrect ownership assignment via the Move Issue drop-down, and a DoS via string conversion methods.

GitLab strongly recommends that all self-managed installations running affected versions upgrade immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action. The patch releases are available for download from the official GitLab repository. Organizations should prioritize upgrading to version 18.4.1 or the appropriate backport for their supported release line. The security fixes are part of GitLab's regular patch cycle, which releases updates on the second and fourth Wednesdays of each month, though this release was issued as an ad-hoc critical patch due to the severity of the vulnerabilities.

This patch release underscores the ongoing challenge of securing complex DevOps platforms. GitLab, which serves as a central hub for code repositories, CI/CD pipelines, and project management, is an attractive target for attackers seeking to compromise software supply chains. The XSS and privilege escalation flaws in particular could be chained with other vulnerabilities to gain deeper access to sensitive codebases and infrastructure. Organizations should also review their GitLab configurations and ensure that security best practices, such as enabling two-factor authentication and restricting access to sensitive projects, are in place.

The vulnerabilities were disclosed through GitLab's HackerOne bug bounty program, which continues to be a key channel for identifying and remediating security issues. GitLab has committed to making the details of each vulnerability public on its issue tracker 30 days after the release in which they were patched, allowing the security community to learn from the findings. In the meantime, administrators are urged to apply the patches without delay to protect against potential exploitation.