GitLab has released updated versions 18.6.2, 18.5.4, and 18.4.6 to address multiple high-severity security issues.
Four vulnerabilities received high-severity ratings and require immediate remediation.
The vulnerability landscape includes four high-severity flaws, five medium-severity issues, and one low-severity vulnerability.
Four of the critical issues involve cross-site scripting (XSS) attacks and improper encoding that could allow unauthorized actions on behalf of other users.
| CVE ID | Vulnerability Type | CVSS Score |
|---|---|---|
| CVE-2025-12716 | Cross-site Scripting (XSS) | 8.7 |
| CVE-2025-8405 | Improper Encoding / HTML Injection | 8.7 |
| CVE-2025-12029 | Cross-site Scripting (XSS) | 8.0 |
| CVE-2025-12562 | Denial of Service (DoS) | 7.5 |
| CVE-2025-11984 | Authentication Bypass | 6.8 |
| CVE-2025-4097 | Denial of Service (DoS) | 6.5 |
| CVE-2025-14157 | Denial of Service (DoS) | 6.5 |
| CVE-2025-11247 | Information Disclosure | 4.3 |
| CVE-2025-13978 | Information Disclosure | 4.3 |
| CVE-2025-12734 | HTML Injection | 3.5 |
GitLab strongly recommends all self-managed installations upgrade immediately, as GitLab.com already runs the patched version.
The most severe vulnerabilities include a cross-site scripting flaw in Wiki functionality and improper encoding in vulnerability reports, both with a CVSS score of 8.7.
Additionally, an XSS vulnerability in Swagger UI (CVSS 8.0) and a GraphQL denial-of-service issue (CVSS 7.5) pose significant risks.
The GraphQL vulnerability particularly concerns unauthenticated attackers who can craft queries bypassing complexity limits to trigger service disruptions.
An authentication bypass affecting WebAuthn two-factor-authentication users poses a medium-severity threat. Enabling authenticated attackers to circumvent security controls.
Three denial-of-service vulnerabilities target ExifTool processing, Commit API, and GraphQL endpoints, potentially disrupting service availability.
Additional issues include information disclosure through error messages and HTML injection in merge request titles.
Users running versions before 18.4.6, 18.5.x before 18.5.4, or 18.6.x before 18.6.2 are vulnerable to these exploits.
The patch includes database migrations that may impact upgrade timelines. Single-node instances will experience downtime during migration completion.
Properly configured multi-node deployments can apply updates without service interruption using zero-downtime procedures.
Organizations should prioritize these updates as part of regular security hygiene practices. GitLab Dedicated customers do not require action.
Additional details regarding affected version ranges and specific patch notes are available in the official GitLab release documentation.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post GitLab Patches Multiple Vulnerabilities that Allows Attackers to Trigger XSS and DoS Attack appeared first on Cyber Security News.
A newly uncovered phishing campaign is delivering Agent Tesla, one of the most widely used…
The Trump Administration’s purchase of two vacant warehouses in two rural Pennsylvania townships illustrates where…
Netflix has announced that it has declined to raise its offer for Warner Bros. Discovery,…
The Federal Emergency Management Agency building in Washington, D.C., on Nov. 25, 2024. (Photo by…
Less than 24 hours before the deadline in an ultimatum issued by the Pentagon, Anthropic…
Netflix has dropped its $83 billion deal to acquire the Warner Bros. studio, HBO, and…
This website uses cookies.