GitLab has released critical security updates for its Community and Enterprise Editions to fix multiple high-risk vulnerabilities. These flaws include cross-site scripting (XSS), denial of service (DoS), and a bug allowing attackers to take over user accounts. The company urges immediate updates to versions 17.11.1, 17.10.5, and 17.9.7, warning that older installations remain exposed. While GitLab.com and Dedicated customers are already secure, self-managed instances need urgent attention to prevent sophisticated attacks.
The XSS vulnerabilities, CVE-2025-1763 and CVE-2025-2443, exploit the Maven dependency proxy feature through either CSP directives or cache headers. These vulnerabilities affect all GitLab versions from 16.6 through to the latest patched releases. Attackers could inject scripts directly into browsers, leading to compromised user data or hijacked sessions. If left unpatched, these issues can seriously undermine the security posture of affected organizations.
Another major bug, CVE-2025-1908, involves NEL header injection and enables attackers to monitor browser activity and potentially hijack accounts. The CVE-2025-0639 flaw can trigger denial of service by exploiting crafted issue previews that crash GitLab’s issue tracker. A medium-severity issue, CVE-2024-12244, allows unauthorized users to access branch names even when repository assets are disabled. This may expose sensitive development information to unapproved individuals.
GitLab credited security researchers from its HackerOne program for responsibly disclosing the issues and supporting a fast response. The company confirmed that full vulnerability details will be shared via its public issue tracker 30 days after release. Users are encouraged to follow GitLab’s security recommendations and upgrade immediately to reduce risk. Rapid patching remains a crucial part of maintaining secure DevOps workflows.