Patch now: Cross-site scripting and denial of service possible in GitLab

The operators of GitLab have published patch releases for their version management platform. The updates are available for both the Community Edition (CE) and the Enterprise Edition (EE).

Versions 17.8.1, 17.7.3 and 17.6.4 fix three vulnerabilities, one of which is classified as"high" and two as"medium".

In its blog, GitLab urgentlyadvises users to install the patch releases as soon as possible. Anyone using the service on GitLab.com is already working with the updated versions – The provider takes care of the cloud servers itself.

Vulnerable to cross-site scripting and denial of service

The vulnerability with the CVE entry (Common Vulnerabilities and Exposures) CVE-2025-0314, which is currently only marked as reserved, is classified as a high threat with a severity level of CVSS 8.7 out of 10. It enables stored XSS (cross-site scripting) via the rendering of Asciidoctor content. Stored XSS means that the malicious code is stored on the server and is therefore triggered not only by direct input, but also by other requests. There was also a stored XSS vulnerability in GitLab in June 2024.

The CVE entry CVE-2024-11931, which is also not yet publicly available, has been assigned the severity level CVSS 6.4 and therefore poses a medium risk. The associated vulnerability makes it possible to read protected variables from the CI/CD process (Continuous Integration / Continuous Delivery) via CI Lint. CI Lint is used as a linter to check the validity of the Yaml files for the CI/CD configuration.

Finally , the CVE entry CVE-2024-6324 describes a vulnerability classified with the severity level CVSS 4.3 – also medium threat level –, which enables a denial of service attack (DoS) through cyclic references between epics.

(rme)