GitLab Vulnerabilities Let Attackers Execute Actions by Injecting Malicious Content

GitLab has released critical security patches across multiple versions to address several high-severity vulnerabilities that could allow attackers to execute unauthorized actions through malicious content injection. 

The latest patch releases 18.1.2, 18.0.4, and 17.11.6 for both Community Edition (CE) and Enterprise Edition (EE) contain essential security fixes that require immediate attention from all self-managed GitLab administrators.

Key Takeaways
1. High-severity XSS vulnerability (CVE-2025-6948) allows attackers to execute actions via malicious content injection.
2. Authorization bypass flaws let authenticated users circumvent group-level restrictions through API manipulation.
3. Widespread impact affects GitLab versions 13.3+ through 18.1, with XSS affecting versions 17.11+.
4. Immediate patching required - upgrade to versions 18.1.2, 18.0.4, or 17.11.6 now.

Cross-Site Scripting Vulnerability (CVE-2025-6948)

The most severe vulnerability identified is CVE-2025-6948, a cross-site scripting (XSS) issue that affects both GitLab CE and EE installations. 

This high-severity vulnerability carries a CVSS score of 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating significant potential impact on confidentiality and integrity.

Under certain conditions, this vulnerability could allow a successful attacker to execute actions on behalf of users by injecting malicious content. 

The attack vector requires network access with low attack complexity, requiring only low-level privileges and user interaction. 

However, the scope is changed, meaning the vulnerable component impacts resources beyond its security scope, potentially affecting high confidentiality and integrity.

The vulnerability impacts all versions from 17.11 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2. 

This extensive version range indicates that the vulnerability has been present in GitLab systems for a considerable period, making immediate patching crucial.

Authorization Bypass Vulnerabilities

Beyond the XSS vulnerability, GitLab has addressed multiple improper authorization issues that could allow authenticated users to bypass various security restrictions:

CVE-2025-3396 (Medium severity, CVSS 4.3) affects an extensive range of versions from 13.3 onwards, allowing authenticated project owners to bypass group-level forking restrictions through manipulated API requests. 

This vulnerability demonstrates how API manipulation can circumvent intended access controls.

Two additional low-severity vulnerabilities, CVE-2025-4972 and CVE-2025-6168 (both CVSS 2.7), specifically impact GitLab EE versions 18.0 and 18.1. 

These vulnerabilities allow authenticated users with invitation privileges and maintainers respectively to bypass group-level user invitation restrictions through crafted API requests and manipulation of group invitation functionality.

CVE	Description	CVSS 3.1 Score	Severity
CVE-2025-6948	Cross-site scripting issue	8.7	High
CVE-2025-3396	Improper authorization issue	4.3	Medium
CVE-2025-3396	Improper authorization issue	4.3	Medium
CVE-2025-6168	Improper authorization issue	2.7	Low

The patch releases also include rsync security updates to version 3.4.1, addressing additional vulnerabilities including CVE-2024-12084 and CVE-2024-12088.

All vulnerabilities were discovered through GitLab’s HackerOne bug bounty program, highlighting the importance of responsible disclosure in identifying security flaws. 

GitLab strongly recommends that all installations running affected versions upgrade immediately to the latest patched versions. 

The comprehensive nature of these vulnerabilities, particularly the high-severity XSS issue, necessitates urgent action to prevent potential exploitation.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now 

The post GitLab Vulnerabilities Let Attackers Execute Actions by Injecting Malicious Content appeared first on Cyber Security News.