GitLab Announces Security Update

GitLab has released important security updates for its Community Edition (CE) and Enterprise Edition (EE) versions, addressing several vulnerabilities, including a high-risk Cross-Site Scripting (XSS) vulnerability.

The most critical vulnerability is a stored XSS vulnerability (CVE-2025-0314) caused by improper rendering of certain file types. This issue affects all versions from 17.2 to 17.6.4, 17.7 to 17.7.3, and 17.8 to 17.8.1. CVSS Score: 8.7. This vulnerability allows attackers to inject malicious scripts into GitLab instances, potentially leading to session hijacking, data theft, or unauthorized system control.

The issue is related to improper rendering of certain file types via the Asciidoctor tool, which allows attackers to insert malicious JavaScript code. This code executes in the user’s browser, which can compromise user sessions or expose sensitive information.

CI/CD Variables Theft via CI Lint (CVE-2024-11931)
This medium-severity vulnerability (CVSS: 6.4) allowed developers to steal CI/CD variables through the CI Lint function under certain conditions. It affects all versions from 17.0 up to the versions with the fix. This issue was discovered by GitLab employee Greg Myers.

Denial-of-Service (DoS) Vulnerability (CVE-2024-6324)
This medium-severity DoS vulnerability (CVSS: 4.3) affects all versions from 15.7 up to the versions with the fix. Attackers can create cyclic links between epics, exhausting system resources and causing service disruption.

GitLab strongly recommends that all users upgrade to versions 17.8.1, 17.7.3, or 17.6.4 to mitigate these vulnerabilities.

Risk Mitigation Recommendations:

  • Regularly update your GitLab instance.
  • Periodically check logs to monitor suspicious activity.
  • Educate users to recognize phishing attacks and apply updates promptly.
  • Perform regular security audits.

These security updates from GitLab are crucial for protecting users from attacks and ensuring system stability. To minimize security risks and protect the system, updates should be applied as soon as possible.

Skip to content