GitLab has released updated versions 18.6.2, 18.5.4, and 18.4.6 to address multiple high-severity security issues.
Four vulnerabilities received high-severity ratings and require immediate remediation.
The vulnerability landscape includes four high-severity flaws, five medium-severity issues, and one low-severity vulnerability.
Four of the critical issues involve cross-site scripting (XSS) attacks and improper encoding that could allow unauthorized actions on behalf of other users.
| CVE ID | Vulnerability Type | CVSS Score |
|---|---|---|
| CVE-2025-12716 | Cross-site Scripting (XSS) | 8.7 |
| CVE-2025-8405 | Improper Encoding / HTML Injection | 8.7 |
| CVE-2025-12029 | Cross-site Scripting (XSS) | 8.0 |
| CVE-2025-12562 | Denial of Service (DoS) | 7.5 |
| CVE-2025-11984 | Authentication Bypass | 6.8 |
| CVE-2025-4097 | Denial of Service (DoS) | 6.5 |
| CVE-2025-14157 | Denial of Service (DoS) | 6.5 |
| CVE-2025-11247 | Information Disclosure | 4.3 |
| CVE-2025-13978 | Information Disclosure | 4.3 |
| CVE-2025-12734 | HTML Injection | 3.5 |
GitLab strongly recommends all self-managed installations upgrade immediately, as GitLab.com already runs the patched version.
The most severe vulnerabilities include a cross-site scripting flaw in Wiki functionality and improper encoding in vulnerability reports, both with a CVSS score of 8.7.
Additionally, an XSS vulnerability in Swagger UI (CVSS 8.0) and a GraphQL denial-of-service issue (CVSS 7.5) pose significant risks.
The GraphQL vulnerability particularly concerns unauthenticated attackers who can craft queries bypassing complexity limits to trigger service disruptions.
An authentication bypass affecting WebAuthn two-factor-authentication users poses a medium-severity threat. Enabling authenticated attackers to circumvent security controls.
Three denial-of-service vulnerabilities target ExifTool processing, Commit API, and GraphQL endpoints, potentially disrupting service availability.
Additional issues include information disclosure through error messages and HTML injection in merge request titles.
Users running versions before 18.4.6, 18.5.x before 18.5.4, or 18.6.x before 18.6.2 are vulnerable to these exploits.
The patch includes database migrations that may impact upgrade timelines. Single-node instances will experience downtime during migration completion.
Properly configured multi-node deployments can apply updates without service interruption using zero-downtime procedures.
Organizations should prioritize these updates as part of regular security hygiene practices. GitLab Dedicated customers do not require action.
Additional details regarding affected version ranges and specific patch notes are available in the official GitLab release documentation.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post GitLab Patches Multiple Vulnerabilities that Allows Attackers to Trigger XSS and DoS Attack appeared first on Cyber Security News.
Mobile Swipe Menu is a vanilla JavaScript library that creates touch-enabled off-canvas side menus for…
tiks is a JavaScript sound effect library that generates iOS-like UI audio feedback at runtime…
LANSING, MI (WOWO) A broad coalition of business groups, housing advocates and environmental organizations is…
LANSING, MI (WOWO) Michigan lawmakers are advancing a series of proposals aimed at reforming the…
A group of unauthorized users has reportedly breached access controls surrounding Claude Mythos Preview, Anthropic’s…
MARSHALL COUNTY, IND. (WOWO) Marshall County commissioners have approved a permanent ban on data centers…
This website uses cookies.