Sunday, May 4, 2025
HomeCVE/vulnerabilityGitLab Releases Critical Patch for XSS, DoS, and Account Takeover Bugs

GitLab Releases Critical Patch for XSS, DoS, and Account Takeover Bugs

Published on

SIEM as a Service

Follow Us on Google News

GitLab, a leading DevOps platform, has released a critical security patch impacting both its Community (CE) and Enterprise (EE) editions, urging all self-managed users to update immediately.

The new versions—17.11.1, 17.10.5, and 17.9.7—address several high and medium-severity vulnerabilities, including cross-site scripting (XSS), denial of service (DoS), and account takeover threats.

GitLab emphasizes the importance of prompt updates, especially for self-managed installations.

- Advertisement - Google News

While GitLab.com and Dedicated customers are already protected, organizations running vulnerable versions risk exposure to sophisticated attacks if they delay upgrading.

“We strongly recommend all installations running an affected version to upgrade as soon as possible,” stated a GitLab spokesperson. “These patches are vital for maintaining the security integrity of user and project data.”

Critical Vulnerabilities Exploited

The patch addresses five distinct vulnerabilities—three rated as high severity and two as medium. The table below summarizes the key security fixes and their corresponding CVEs:

TitleSeverityCVEDescription
Cross Site Scripting (XSS) in Maven Dependency Proxy through CSP directivesHighCVE-2025-1763XSS and CSP bypass in Maven Proxy, allowing malicious code in user browsers.
Cross Site Scripting (XSS) in Maven dependency proxy through cache headersHighCVE-2025-2443XSS via cache headers, enabling attackers to inject scripts under specific conditions.
Network Error Logging (NEL) Header Injection in Maven Dependency Proxy Allows Activity MonitoringHighCVE-2025-1908NEL header injection could allow attackers to track user browsing and potentially take accounts.
Denial of service (DOS) via issue previewMediumCVE-2025-0639Attackers could crash services through crafted issue previews, impacting availability.
Unauthorized access to branch names when Repository assets are disabledMediumCVE-2024-12244Users might access restricted branch names, bypassing intended project controls.

Vulnerability Details

  • Two XSS Flaws (CVE-2025-1763, CVE-2025-2443): Both XSS vulnerabilities allow attackers to exploit Maven dependency proxy features using either CSP directives or cache headers. These issues impact all versions from 16.6 up to the latest patched releases.
  • NEL Header Injection (CVE-2025-1908): Attackers could inject malicious NEL headers, giving them the ability to track browser activities and, in some cases, take over user accounts.
  • DoS via Issue Preview (CVE-2025-0639): Crafted issue previews could disrupt GitLab’s issue tracking, resulting in service downtime.
  • Unauthorized Branch Name Access (CVE-2024-12244): Attackers might view branch names even when repository assets are disabled, leaking potentially sensitive project details.

GitLab has reiterated its commitment to transparency and rapid vulnerability response, crediting responsible disclosures from external security researchers via their HackerOne program.

All issue details will be published on GitLab’s public issue tracker 30 days after release. For best security practices, organizations should upgrade and follow GitLab’s recommendations on securing DevOps environments.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...

MintsLoader Malware Uses Sandbox and Virtual Machine Evasion Techniques

MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...