GitLab Patches Three High-Severity XSS Flaws and Other Bugs in August 2025 Security Release

GitLab shipped emergency patch releases 18.2.2, 18.1.4, and 18.0.6 on August 13, 2025, fixing a total of twelve security vulnerabilities spanning cross-site scripting, privilege escalation, authorization flaws, and denial-of-service conditions. The update affects all self-managed GitLab CE/EE instances from version 14.2 through 18.2.1, while GitLab.com was already updated and GitLab Dedicated customers require no action. The full advisory is available on GitLab's security releases page.

Three high-severity cross-site scripting vulnerabilities were patched, each carrying a CVSS score of 8.7. CVE-2025-7734 targets the blob viewer and could allow an attacker to execute actions on behalf of users by injecting malicious content, affecting versions from 14.2. CVE-2025-7739 enables stored XSS via malicious HTML content in scoped label descriptions, impacting versions starting from 18.2. CVE-2025-6186, the most critical, allows authenticated users to achieve account takeover by injecting malicious HTML into work item names, affecting versions from 18.1. Both CVE-2025-7734 and CVE-2025-6186 were reported by researcher joaxcar through GitLab's HackerOne bug bounty program, while CVE-2025-7739 was reported by yvvdwf.

In addition to the XSS issues, GitLab fixed CVE-2025-8094, an improper handling of permissions vulnerability in the project API (CVSS 7.7) that allows authenticated maintainers to cause denial of service to other users' CI/CD pipelines by manipulating shared infrastructure. CVE-2024-12303 addresses an incorrect privilege assignment flaw that permitted users with specific roles to delete confidential issues by inviting users with appropriate permissions, carrying a CVSS of 6.7. Two medium-severity resource exhaustion bugs were also resolved: CVE-2025-2614 affects release name creation (CVSS 6.5), and another unnamed Mattermost integration flaw allows unlimited resource allocation.

The release also addresses authorization issues in the jobs API and merge request approval policies, an inefficient regular expression complexity problem in the wiki component, insufficient access control in IP restriction for GitLab EE, and an incorrect permission assignment in ID tokens. All vulnerabilities were reported through the company's bug bounty program, with researchers including abdelrahman_maged, yuki_osaki, pwnie, and others receiving credit. Detailed descriptions for each CVE will be made public on GitLab's issue tracker 30 days after the release, following standard disclosure policy.

GitLab strongly recommends that all self-managed installations upgrade to 18.2.2, 18.1.4, or 18.0.6 immediately. The scheduled patch release cycle occurs twice monthly on the second and fourth Wednesdays, and this release is an ad-hoc critical patch addressing high-severity issues. Organizations running unsupported versions or those that cannot upgrade immediately are urged to review the individual vulnerability impact and apply restrictive network controls where feasible. With several CVEs enabling privilege escalation and cross-site scripting, the risk of account takeover and lateral movement is significant for DevOps environments where GitLab manages source code and CI/CD pipelines.

This August update follows a similar emergency patch from May 2026 that fixed multiple high-severity XSS and DoS flaws in the Analytics dashboard, global search, and CI/CD APIs, highlighting a continuing pattern of cross-site scripting as a persistent attack surface in GitLab's feature-rich web interface. The company's bug bounty program continues to yield actionable reports, with all three high-severity XSS vulnerabilities discovered externally. Organizations using GitLab should treat these updates as high priority, given the prevalence of XSS exploitation in development environments where elevated privileges can compromise proprietary code and deployment pipelines.