GitLab Patches Three High-Severity XSS and DoS Vulnerabilities in December 2025 Security Release
GitLab released emergency patch versions 18.6.2, 18.5.4, and 18.4.6 on December 10, 2025, fixing three high-severity cross-site scripting flaws, a denial-of-service issue in GraphQL, and multiple medium-severity bugs.
GitLab has shipped an urgent set of patch releases — versions 18.6.2, 18.5.4, and 18.4.6 — for both Community Edition (CE) and Enterprise Edition (EE) on December 10, 2025. The updates address a concentrated batch of vulnerabilities, including three high-severity cross-site scripting (XSS) bugs, a denial-of-service (DoS) vector in GraphQL endpoints, an authentication bypass for WebAuthn users, and several other medium-risk issues. GitLab strongly recommends that all self-managed installations running affected versions upgrade immediately, as the patches cover versions ranging back to 6.3 in one case. GitLab.com is already patched, and GitLab Dedicated customers are unaffected.
At the top of the severity scale is CVE-2025-12716, a high-severity XSS vulnerability in the Wiki component carrying a CVSS score of 8.7. An authenticated attacker could create malicious wiki pages that, when viewed, execute unauthorized actions on behalf of another user. The flaw impacts all GitLab versions from 18.4 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2. It was reported by researcher yvvdwf via GitLab's HackerOne bug bounty program.
Two additional XSS flaws round out the high-severity category. CVE-2025-12029 (CVSS 8.0) allows an unauthenticated attacker to inject malicious external scripts into the Swagger UI component, potentially hijacking user sessions. The bug affects versions going back to 15.11, a broad impact window. CVE-2025-8405 (CVSS 7.7) is an improper encoding issue in vulnerability reports that could enable authenticated attackers to inject malicious HTML into vulnerability code flow displays, leading to unauthorized actions on behalf of other users. Both were also reported through HackerOne.
A denial-of-service vulnerability in GraphQL endpoints, CVE-2025-12562 (CVSS 7.5), allows an unauthenticated attacker to exhaust server resources by sending crafted queries that bypass complexity limits, potentially taking the service offline. The flaw affects all GitLab versions from 11.10 onward. This issue was reported by researcher joaxcar.
Medium-severity issues include a notable authentication bypass for WebAuthn users (CVE-2025-11984, CVSS 6.8), where an authenticated attacker could bypass a user's WebAuthn two-factor authentication by manipulating session state under certain conditions — a serious concern for organizations relying on hardware security keys. Additionally, two DoS flaws were patched: one in ExifTool image processing (CVE-2025-4097, CVSS 6.5), triggered by uploading specially crafted images, and another in the Commit API (CVE-2025-14157, CVSS 6.5), exploited via crafted API calls with large content parameters. The Commit API DoS vulnerability was discovered internally by GitLab.
Beyond these, the patch release also resolves an information disclosure issue in compliance frameworks (EE), information disclosure through error messages, an HTML injection flaw in merge request titles, and additional low-severity issues. Full details of each vulnerability will be published on GitLab's issue tracker 30 days after this release, per the company's disclosure policy.
Admins should patch immediately given the breadth of affected versions and the exploitation potential of pre-auth XSS and DoS vectors. The December 2025 set of patches arrives less than a month after GitLab's previous security release, highlighting an ongoing cadence of vulnerability remediation for the widely used DevOps platform.