GitLab Patches Critical Vulnerabilities Allowing Malicious Prompt Injections
GitLab has recently addressed several critical security vulnerabilities in both its Community Edition (CE) and Enterprise Edition (EE) by releasing versions 18.5.2, 18.4.4, and 18.3.6. These updates are crucial for preventing potential exploits that could compromise sensitive data and bypass access controls.
Prompt Injection Vulnerability in GitLab Duo
A significant concern is the prompt injection vulnerability within GitLab Duo’s review feature. This flaw allows attackers to embed hidden malicious prompts directly into merge request comments. These covert instructions can deceive the AI system into revealing sensitive information from confidential issues. This vulnerability affects GitLab Enterprise Edition versions 17.9 and later, posing a risk of unauthorized access to classified project data.
Additional Vulnerabilities Addressed
Beyond the prompt injection issue, GitLab has patched nine other vulnerabilities of varying severity:
– Cross-Site Scripting (XSS) in Kubernetes Proxy (CVE-2025-11224): Authenticated users could execute malicious scripts due to improper input validation in the Kubernetes proxy, affecting versions 15.10 and later.
– Authorization Bypass in Workflows (CVE-2025-11865): Users could remove AI flows belonging to others, compromising workflow integrity.
– Information Disclosure via GraphQL Subscriptions (CVE-2025-2615): Blocked users could establish GraphQL subscriptions, potentially accessing sensitive data.
– Information Disclosure in Access Control (CVE-2025-7000): Unauthorized viewing of branch names was possible due to access control weaknesses.
– Prompt Injection in GitLab Duo Review (CVE-2025-6945): Similar to the primary vulnerability, this issue involved injecting prompts to manipulate AI behavior.
– Information Disclosure in Packages API Endpoint (CVE-2025-6171): Sensitive data could be accessed even when repository access was disabled.
– Client-Side Path Traversal in Branch Names (CVE-2025-11990): Malicious branch names could lead to unauthorized file access.
– Improper Access Control in GitLab Pages (CVE-2025-7736): OAuth authentication bypasses were possible, allowing unauthorized access.
– Denial-of-Service via Markdown (CVE-2025-12983): Specially crafted Markdown content could lead to service disruptions.
Recommendations for Users
GitLab strongly recommends that all users upgrade to the patched versions immediately. The company has already updated GitLab.com, and GitLab Dedicated customers require no action. Self-managed installations must prioritize these updates to safeguard against potential exploits.
The patches include database migrations that may affect upgrade processes. Single-node instances will experience downtime during updates, while multi-node installations can implement zero-downtime upgrades using proper procedures.
Most of these vulnerabilities were discovered through GitLab’s HackerOne bug bounty program, highlighting the importance of community-driven security efforts. GitLab commits to releasing detailed security information 30 days after each patch on its public issue tracker.
Organizations should review their current GitLab versions and deploy patches without delay to protect against these escalating security threats.
