GitLab Releases Critical Security Updates to Address Multiple Vulnerabilities
On December 10, 2025, GitLab, a leading DevOps platform, announced the release of critical security patches for its Community Edition (CE) and Enterprise Edition (EE). These updates address ten significant vulnerabilities, including high-severity cross-site scripting (XSS) flaws and denial-of-service (DoS) issues, underscoring the company’s commitment to maintaining a secure environment for its users.
Overview of the Vulnerabilities
The latest security release encompasses a range of vulnerabilities with varying severity levels:
– High-Severity Vulnerabilities:
– CVE-2025-12716: An XSS vulnerability in the Wiki functionality, allowing attackers to inject malicious scripts.
– CVE-2025-8405: Improper encoding in vulnerability reports, leading to potential HTML injection attacks.
– CVE-2025-12029: An XSS flaw in the Swagger UI, enabling unauthorized script execution.
– CVE-2025-12562: A DoS vulnerability in the GraphQL API, which could be exploited to disrupt services.
– Medium-Severity Vulnerabilities:
– CVE-2025-11984: An authentication bypass issue affecting WebAuthn two-factor authentication users.
– CVE-2025-4097: A DoS vulnerability in ExifTool processing, potentially leading to service disruptions.
– CVE-2025-14157: A DoS issue in the Commit API, which could be exploited to overload the system.
– Low-Severity Vulnerabilities:
– CVE-2025-11247: Information disclosure through error messages, potentially exposing sensitive data.
– CVE-2025-13978: Another information disclosure issue, revealing internal system details.
– CVE-2025-12734: HTML injection in merge request titles, allowing for potential content manipulation.
Detailed Analysis of High-Severity Vulnerabilities
1. Cross-Site Scripting in Wiki Functionality (CVE-2025-12716):
This vulnerability allows attackers to inject malicious JavaScript into Wiki pages. When other users view these pages, the scripts execute in their browsers, potentially leading to session hijacking or data theft. The flaw affects all GitLab versions prior to 18.4.6.
2. Improper Encoding in Vulnerability Reports (CVE-2025-8405):
Due to inadequate encoding practices, attackers can inject HTML into vulnerability reports. This could lead to unauthorized content rendering and potential XSS attacks. All versions before 18.4.6 are susceptible to this issue.
3. XSS in Swagger UI (CVE-2025-12029):
The Swagger UI component contains an XSS flaw that enables attackers to execute arbitrary scripts in the context of a user’s browser session. This vulnerability affects versions prior to 18.4.6.
4. Denial-of-Service via GraphQL API (CVE-2025-12562):
An unauthenticated attacker can craft specific GraphQL queries that bypass complexity limits, leading to excessive resource consumption and service disruption. This issue impacts all versions before 18.4.6.
Recommendations for Users
GitLab strongly advises all self-managed installations to upgrade to the latest patched versions—18.6.2, 18.5.4, or 18.4.6—immediately. Users of GitLab.com are already protected, as the platform has been updated to the latest version. GitLab Dedicated customers do not need to take any action.
Upgrade Considerations
The patch includes database migrations that may affect upgrade timelines. Single-node instances will experience downtime during the migration process. However, properly configured multi-node deployments can apply updates without service interruption using zero-downtime procedures.
Conclusion
The release of these critical security patches highlights GitLab’s proactive approach to safeguarding its platform and user data. Organizations are urged to prioritize these updates as part of their regular security maintenance to mitigate potential risks associated with these vulnerabilities.
