GitLab Patches Three High-Severity Flaws Including Account Takeover and CI/CD Injection
GitLab released versions 18.0.2, 17.11.4, and 17.10.8 on June 11, 2025, fixing multiple security vulnerabilities including three high-severity issues that could enable account takeover, cross-site scripting, and malicious CI/CD job injection.
GitLab has shipped emergency patch releases for its Community Edition (CE) and Enterprise Edition (EE) platforms, addressing a batch of security vulnerabilities that include three high-severity flaws. The updates, versions 18.0.2, 17.11.4, and 17.10.8, were released on June 11, 2025, and GitLab is urging all self-managed instances to upgrade immediately. GitLab.com and GitLab Dedicated customers are already protected and do not need to take action.
The most critical issue, tracked as CVE-2025-4278, is an HTML injection vulnerability that affects GitLab CE/EE versions starting with 18.0 before 18.0.2. Under certain conditions, an attacker could exploit this flaw to achieve account takeover by injecting malicious code into the search page. The vulnerability carries a CVSS score of 8.7 and was reported by researcher joaxcar through GitLab's HackerOne bug bounty program.
A second high-severity vulnerability, CVE-2025-2254, is a cross-site scripting (XSS) issue in the snippet viewer. This flaw affects versions from 17.9 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2, and could allow an attacker to act in the context of a legitimate user by injecting a malicious script. It also carries a CVSS score of 8.7 and was reported by researcher yvvdwf.
The third high-severity flaw, CVE-2025-5121, is a missing authorization issue specific to GitLab Ultimate EE. An authenticated attacker with access to a GitLab instance that has a GitLab Ultimate license (paid or trial) could inject a malicious CI/CD job into all future pipelines of any project. This vulnerability has a CVSS score of 8.5 and was reported by researcher jean_d-ou.
In addition to these high-severity issues, the patch releases address several medium-severity vulnerabilities. These include CVE-2025-0673, a denial-of-service (DoS) flaw that could trigger an infinite redirect loop causing memory exhaustion; CVE-2025-1516, a DoS via unbounded webhook token names; CVE-2025-1478, a DoS via unbounded board names; and CVE-2024-9512, an information disclosure issue that could allow an attacker to clone a private repository under specific conditions. GitLab has also fixed a low-severity information disclosure flaw related to group IP restriction bypass.
GitLab has made the full details of each vulnerability available on its issue tracker, with a 30-day disclosure delay for security fixes. The company strongly recommends that all self-managed installations running affected versions upgrade to the latest patch release as soon as possible. The patches are available for omnibus, source code, and helm chart deployments.
This release underscores the ongoing challenge of securing complex DevOps platforms against a wide range of attack vectors, from injection flaws to authorization gaps. GitLab's rapid response and transparent disclosure process provide a model for handling security vulnerabilities in widely used development tools.