GitLab Vulnerabilities Allow Attackers to Bypass Security and Run Arbitrary Scripts

GitLab has urgently released security updates to address multiple high-severity vulnerabilities in its platform that could allow attackers to bypass security mechanisms, execute malicious scripts, and access sensitive data.

The patches, included in versions 17.9.1, 17.8.4, and 17.7.6 for both Community Edition (CE) and Enterprise Edition (EE), mitigate critical risks affecting Kubernetes integrations, dependency management, and authorization systems.

Immediate upgrades are strongly recommended for all self-managed instances.

Detailed Vulnerability Analysis

CVE-2025-0475: XSS in Kubernetes Proxy Endpoint (CVSS 8.7)

A high-severity cross-site scripting (XSS) vulnerability was discovered in GitLab’s Kubernetes proxy endpoint, enabling attackers to inject malicious scripts through improperly sanitized content.

Exploiting this flaw (affecting versions 15.10 to 17.9.1) could compromise user sessions or redirect traffic under specific conditions. .

CVE-2025-0555: XSS in Maven Dependency Proxy (CVSS 7.7)

Another high-severity XSS flaw in GitLab EE’s Maven Dependency Proxy allowed attackers to bypass security controls and execute arbitrary scripts in user browsers.

Impacting versions 16.6 to 17.9.1, this vulnerability underscores supply chain risks in dependency management systems.

CVE-2024-8186: HTML Injection Leading to XSS (CVSS 5.4)

A medium-severity HTML injection flaw in GitLab’s child item search feature (versions 16.6 to 17.9.1) permitted attackers to inject malicious markup, potentially leading to XSS attacks on self-hosted instances.

CVE-2024-10925: Guest User Authorization Bypass (CVSS 5.3)

This medium-severity flaw allowed Guest users in GitLab EE (versions 16.2 to 17.9.1) to read security policy YAML files containing sensitive rules and configurations.

CVE-2025-0307: Planner Role Data Exposure (CVSS 4.3)

Users with the Planner role in private GitLab EE projects (versions 17.7 to 17.9.1) could improperly access code review analytics, violating least-privilege principles.

Patch Deployment and Mitigation

GitLab and Dedicated instances received automatic fixes, but self-managed deployments require manual upgrades to versions 17.9.1, 17.8.4, or 17.7.6.

The company adheres to a 30-day disclosure policy, with full technical details for these CVEs slated for publication on March 27, 2025.

Administrators should:

1. Prioritize upgrades for instances using Kubernetes, Maven, or granular role-based access controls.
2. Audit user permissions to ensure compliance with least-privilege policies.
3. Monitor proxy endpoint traffic for unusual HTML/script payloads.

These vulnerabilities highlight systemic risks in CI/CD platforms, particularly as attackers increasingly target:

• Dependency chains: Exploits like CVE-2025-0555 show how malicious packages could infiltrate builds.
• Overprivileged roles: Flaws like CVE-2025-0307 emphasize misconfigured permissions in complex projects.
• Third-party integrations: Kubernetes proxy vulnerabilities (CVE-2025-0475) reveal risks in cloud-native tooling.

GitLab credited researchers joaxcar, yuki_osaki, and weasterhacker through its bug bounty program, awarding payouts commensurate with the CVSS ratings.

With over 30 million users relying on GitLab, these patches are critical to maintaining trust in modern software delivery pipelines.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free