GitLab, a leading DevOps platform, has released a critical security patch impacting both its Community (CE) and Enterprise (EE) editions, urging all self-managed users to update immediately.
The new versions—17.11.1, 17.10.5, and 17.9.7—address several high and medium-severity vulnerabilities, including cross-site scripting (XSS), denial of service (DoS), and account takeover threats.
GitLab emphasizes the importance of prompt updates, especially for self-managed installations.
While GitLab.com and Dedicated customers are already protected, organizations running vulnerable versions risk exposure to sophisticated attacks if they delay upgrading.
“We strongly recommend all installations running an affected version to upgrade as soon as possible,” stated a GitLab spokesperson. “These patches are vital for maintaining the security integrity of user and project data.”
The patch addresses five distinct vulnerabilities—three rated as high severity and two as medium. The table below summarizes the key security fixes and their corresponding CVEs:
Title | Severity | CVE | Description |
Cross Site Scripting (XSS) in Maven Dependency Proxy through CSP directives | High | CVE-2025-1763 | XSS and CSP bypass in Maven Proxy, allowing malicious code in user browsers. |
Cross Site Scripting (XSS) in Maven dependency proxy through cache headers | High | CVE-2025-2443 | XSS via cache headers, enabling attackers to inject scripts under specific conditions. |
Network Error Logging (NEL) Header Injection in Maven Dependency Proxy Allows Activity Monitoring | High | CVE-2025-1908 | NEL header injection could allow attackers to track user browsing and potentially take accounts. |
Denial of service (DOS) via issue preview | Medium | CVE-2025-0639 | Attackers could crash services through crafted issue previews, impacting availability. |
Unauthorized access to branch names when Repository assets are disabled | Medium | CVE-2024-12244 | Users might access restricted branch names, bypassing intended project controls. |
GitLab has reiterated its commitment to transparency and rapid vulnerability response, crediting responsible disclosures from external security researchers via their HackerOne program.
All issue details will be published on GitLab’s public issue tracker 30 days after release. For best security practices, organizations should upgrade and follow GitLab’s recommendations on securing DevOps environments.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Operation Endgame II has delivered a devastating strike against DanaBot, a notorious malware that has…
Apple has released urgent security patches addressing CVE-2025-31219, a high-severity vulnerability in its XNU kernel…
A massive data leak from the LockBit ransomware group, published on its hijacked leak site,…
A sophisticated cyber threat actor, dubbed ViciousTrap by Sekoia.io's Threat Detection & Research (TDR) team,…
The U.S. Department of Justice has unsealed a federal indictment against Rustam Rafailevich Gallyamov, 48,…
FortiGuard Labs released an urgent advisory detailing a critical vulnerability, CVE-2025-32756, affecting several Fortinet products,…