EXECUTIVE SUMMARY:
GitLab has issued a security urging all users with self-managed GitLab installations to upgrade immediately to mitigate several vulnerabilities. These issues include multiple Cross-Site Scripting (XSS) flaws within the Maven Dependency Proxy, which could allow attackers to execute scripts in users' browsers, leading to potential security policy bypasses. Additionally, a Network Error Logging (NEL) Header Injection vulnerability poses a risk of tracking users’ browsing activities and could lead to full account takeovers. A Denial-of-Service (DoS) vulnerability impacting service availability via issue preview and an access control issue allowing unauthorized access to branch names have also been identified. To mitigate these risks, it strongly recommends that users upgrade to the latest patched versions immediately.
- CVE-2025-1763: It is a Cross-Site Scripting (XSS) vulnerability found in the Maven Dependency Proxy feature of GitLab. It allows attackers to inject malicious scripts into a user’s browser, potentially bypassing content security policies under specific conditions. The vulnerability has been assigned a CVSS score of 8.7.
- CVE-2025-2443: It is a Cross-Site Scripting (XSS) vulnerability in GitLab's Maven Dependency Proxy. It allows attackers to inject malicious scripts, potentially bypassing content security policies in certain user browser contexts. The vulnerability carries a CVSS score of 8.7.
- CVE-2025-1908: It is a Network Error Logging (NEL) Header Injection vulnerability in GitLab's Maven Dependency Proxy. This flaw allows attackers to inject unauthorized NEL headers, enabling tracking of users’ browsing behavior. It poses a risk of a full account takeover if exploited under specific conditions. The vulnerability has a CVSS score of 7.7.
- CVE-2025-0639: It is a Denial of Service (DoS) vulnerability in GitLab. The issue arises from improper handling of issue previews, which can lead to service disruption or unavailability. Successful exploitation can cause downtime, impacting the user experience. The vulnerability has been assigned a CVSS score of 6.5.
- CVE-2024-12244: It is an access control vulnerability in GitLab. This flaw allows unauthorized users to access branch names when repository assets are disabled in the project. Exploitation of this vulnerability could lead to information leakage or unauthorized access to sensitive project details. The vulnerability has a CVSS score of 4.3.
RECOMMENDATION:
- We strongly recommend you update GitLab CE/EE version to 17.11.1, 17.10.5 and 17.9.7.
REFERENCES:
The following reports contain further technical details:
