GitLab Releases Critical Security Updates to Address DoS and XSS Vulnerabilities
GitLab has recently issued critical security updates for both its Community Edition (CE) and Enterprise Edition (EE), addressing multiple high-severity vulnerabilities that could potentially allow attackers to crash servers, steal sensitive data, or hijack user sessions. The patched versions—18.8.4, 18.7.4, and 18.6.6—are now available, and administrators of self-managed instances are strongly urged to upgrade immediately. GitLab.com has already been updated to these versions, ensuring the hosted service’s users are protected.
Key Vulnerabilities Addressed:
1. CVE-2025-7659 (CVSS 8.0): This high-severity vulnerability resides in the Web IDE component of GitLab. Due to incomplete validation mechanisms, unauthenticated attackers could exploit this flaw to access private tokens and view confidential software repositories without proper authorization.
2. CVE-2025-8099 (CVSS 7.5): This Denial-of-Service (DoS) vulnerability involves the GraphQL interface. Attackers can send repeated, complex queries to the GraphQL endpoint, leading to service crashes and potential downtime.
3. CVE-2026-0958 (CVSS 7.5): Another DoS vulnerability, this issue exploits the JSON validation middleware. By bypassing JSON validation, attackers can exhaust server resources, causing performance degradation or service unavailability.
4. CVE-2025-14560 (CVSS 7.3): This Cross-Site Scripting (XSS) vulnerability is found in the Code Flow feature. Attackers can inject malicious scripts into code that, when viewed by other users, execute unauthorized actions on behalf of the victim, potentially leading to data theft or further exploitation.
Additional Medium-Severity Vulnerabilities:
Beyond these critical issues, the update also addresses several medium-severity vulnerabilities, including:
– Server-Side Request Forgery (SSRF): This flaw could allow attackers to send crafted requests from the server, potentially accessing internal services or sensitive information.
– HTML Injection Flaws: These vulnerabilities enable attackers to inject malicious HTML content, which could be used to manipulate web pages or execute unauthorized actions.
Recommendations for Administrators:
GitLab strongly recommends that all customers running affected versions upgrade to the latest patched versions immediately to mitigate these vulnerabilities. Administrators should be aware that upgrading single-node instances may require brief downtime for database migrations.
Conclusion:
The prompt release of these patches underscores GitLab’s commitment to maintaining the security and integrity of its platform. By addressing these vulnerabilities swiftly, GitLab aims to protect its users from potential exploits that could compromise data and disrupt services.
