EXECUTIVE SUMMARY:
A high severity stored XSS flaw has been fixed in GitLab for both Community and Enterprise editions. The most serious issue (CVSS 7.7) affects the Kubernetes proxy feature, where improper input checks allowed malicious scripts to be stored and executed for other users. Attackers with basic access could hijack active sessions, steal sensitive data, or take over accounts. Along with this, an authorization issue in GitLab EE allowed users to delete Duo authentication workflows belonging to others. Multiple information leaks, access control mistakes, and denial-of-service issues were also patched across several GitLab components.
CVE-2025-11224: This flaw allowed an authenticated user to insert harmful JavaScript into the Kubernetes proxy feature due to weak input validation. Once stored, this script could run for other users who viewed the affected page. This could expose sensitive information, authentication tokens, or even admin sessions. The issue required low privileges to trigger, making it easy for attackers inside a project or group to exploit.
CVE-2025-11865: This issue was limited to Enterprise Edition and allowed one user to delete Duo authentication workflows of another user. The root cause was incorrect permission checks that failed to restrict actions to the workflow owner. If exploited, it could disrupt authentication processes and break internal security pipelines.
CVE-2025-2615: This flaw allowed unauthorized users to gain access to certain data shared through GraphQL subscription channels. Due to insufficient filtering or access checks, sensitive information could have been exposed. Attackers could use this to gather internal project data or system activity patterns.
CVE-2025-7000: A logic issue allowed users to view restricted branch names in certain conditions. This could reveal project structure or internal development work. Although not directly allowing modification, visibility of confidential branches could assist attackers in planning further actions.
CVE-2025-6945: This flaw allowed manipulation of prompt input in Duo Review. Attackers could exploit this to alter outputs or introduce unexpected actions during code review. This could disrupt review processes or influence decisions made by developers.
CVE-2025-11990: This issue enabled attackers to access CSRF tokens due to unsafe handling of client-side paths. Once obtained, CSRF tokens could be used to perform unwanted actions on behalf of another user.
CVE-2025-6171: This flaw exposed sensitive package-related details through the API. Attackers could gather internal metadata or dependency information. Such insights could help in supply-chain based attacks or internal mapping of the system.
CVE-2025-7736: A permission error allowed users to access GitLab Pages they should not have been able to view. This risked exposing private project pages, internal documentation, or stored files. The flaw could reveal sensitive information unintentionally.
CVE-2025-12983: Excessive nested markdown could be used to overload processing on the server side. Attackers could exploit this to cause temporary service disruptions. While not allowing direct compromise, it affected system availability.
RECOMMENDATION:
We strongly recommend you upgrade GitLab to versions 18.5.2, 18.4.4, or 18.3.6.
REFERENCES:
The following reports contain further technical details: