GitLab Patches Two High-Severity XSS Flaws in Kubernetes Proxy, Six Other Vulnerabilities
GitLab released versions 18.2.1, 18.1.3, and 18.0.5 on July 23, 2025, fixing eight vulnerabilities including two high-severity cross-site scripting bugs in the Kubernetes proxy feature.
GitLab released versions 18.2.1, 18.1.3, and 18.0.5 for Community Edition and Enterprise Edition on July 23, 2025, addressing eight security vulnerabilities. The patch release includes fixes for two high-severity cross-site scripting (XSS) issues affecting the Kubernetes proxy, along with several medium-severity flaws involving information disclosure and improper access control. GitLab strongly recommends that all self-managed installations upgrade immediately; GitLab.com and GitLab Dedicated customers are already protected.
The most critical vulnerabilities are CVE-2025-4700 and CVE-2025-4439, both XSS flaws in the Kubernetes proxy. CVE-2025-4700 carries a CVSS score of 8.7 and could allow an authenticated attacker to trigger unintended content rendering leading to XSS under specific circumstances. CVE-2025-4439, with a CVSS score of 7.7, enables XSS attacks when the GitLab instance is served through certain content delivery networks. Both vulnerabilities were reported by researcher joaxcar through GitLab's HackerOne bug bounty program and affect all versions from 15.10 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1.
The medium-severity flaws include CVE-2025-7001 (CVSS 4.3), an information disclosure issue that allowed privileged users to access resource_group information through the API that should have been unavailable. CVE-2025-4976 (CVSS 4.3) is an improper access control bug in GitLab EE that could allow an attacker to access internal notes in GitLab Duo responses. CVE-2025-0765 (CVSS 4.3) exposes custom service desk email addresses to unauthorized users, while CVE-2025-1299 (CVSS 4.3) allows unauthorized reading of deployment job logs via crafted requests. All medium-severity issues were reported through the HackerOne bug bounty program.
The patch release also includes several bug fixes beyond security issues, addressing problems with S3 compatibility in Workhorse uploads for non-AWS providers, GitHub import end-to-end tests, and Agentic Chat session management. GitLab follows a regular patch release cadence with scheduled releases twice monthly on the second and fourth Wednesdays, though this release appears to be an ad-hoc critical patch for the high-severity XSS vulnerabilities.
Self-managed GitLab installations running affected versions should prioritize upgrading to 18.2.1, 18.1.3, or 18.0.5 depending on their deployment track. GitLab typically makes vulnerability details public on its issue tracker 30 days after the patched release, so technical specifics for these flaws will become available in late August 2025. Organizations using GitLab's Kubernetes integration should pay particular attention to the proxy-related XSS fixes, as the Kubernetes proxy feature is commonly exposed in CI/CD pipelines and development environments.