GitLab Vulnerabilities Allow Remote Code Execution via Malicious Content Injection

GitLab has released critical security patches addressing multiple vulnerabilities, including a high-severity cross-site scripting (XSS) vulnerability that could allow attackers to execute malicious actions on behalf of users.

The company issued versions 18.1.2, 18.0.4, and 17.11.6 for both Community Edition (CE) and Enterprise Edition (EE), urging immediate upgrades for all self-managed installations.

The most serious vulnerability, CVE-2025-6948, carries a CVSS score of 8.7 and affects all versions from 17.11 before the latest patches, potentially enabling unauthorized actions through content injection attacks.

The most critical security vulnerability, designated CVE-2025-6948, represents a cross-site scripting vulnerability that could allow successful attackers to execute actions on behalf of legitimate users by injecting malicious content into GitLab instances.

This vulnerability affects both Community and Enterprise editions across multiple version ranges, including all versions from 17.11 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2.

The vulnerability was discovered through GitLab HackerOne bug bounty program by security researcher yvvdwf.

With a CVSS score of 8.7, this represents a high-severity threat that could compromise user accounts and potentially lead to unauthorized access to sensitive repositories and data.

The attack vector operates through network access with low attack complexity, requiring only low-level privileges and user interaction, making it particularly concerning for organizations with multiple GitLab users.

GitLab Vulnerabilities

Three additional vulnerabilities involve improper authorization mechanisms that could allow authenticated users to bypass various group-level restrictions:

• CVE-2025-3396 (Medium Severity – CVSS 4.3)
• Affects both Community and Enterprise editions.
• Enables project owners to circumvent group-level forking restrictions through manipulated API requests.
• Extensive impact timeline affecting versions from 13.3 through current patches.
• Discovered by security researcher theluci through HackerOne bug bounty program.
  
• CVE-2025-4972 (Low Severity – CVSS 2.7)
• Specifically targets GitLab Enterprise Edition installations.
• Allows authenticated users with invitation privileges to bypass group-level user invitation restrictions.
• Exploits group invitation functionality manipulation.
• Affects versions 18.0 and 18.1 before respective patches.
• Reported by security researcher mateuszek.
  
• CVE-2025-6168 (Low Severity – CVSS 2.7)
• Limited to GitLab Enterprise Edition installations.
• Enables authenticated maintainers to bypass group-level user invitation restrictions.
• Utilizes crafted API requests to circumvent invitation controls.
• Affects versions 18.0 and 18.1 before respective patches.
• Discovered by security researcher hunter0xp7.

Both lower-severity vulnerabilities involve authenticated users with elevated privileges and require high-level permissions to exploit, making them less critical but still requiring immediate patching to maintain proper access controls.

Additional Security Updates

GitLab strongly recommends immediate upgrades to the latest patch versions, emphasizing that GitLab.com already runs the patched versions while GitLab Dedicated customers require no action.

The company follows a structured security release schedule, issuing patches twice monthly on the second and fourth Wednesdays, with additional ad-hoc releases for high-severity vulnerabilities.

Beyond the GitLab-specific vulnerabilities, the patches include updates to rsync version 3.4.1, addressing additional security concerns including CVE-2024-12084 and CVE-2024-12088.

The releases also incorporate numerous bug fixes across all three version branches, improving stability and functionality.

Following GitLab’s standard disclosure policy, detailed vulnerability information will be made public on their issue tracker 30 days after release.

Organizations should prioritize these updates as part of maintaining security hygiene, particularly given the high-severity nature of the primary XSS vulnerability and its potential for significant impact on user accounts and data integrity.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.