{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2025-011.pdf"
    },
    "title": "Critical Vulnerabilities in Gitlab",
    "serial_number": "2025-011",
    "publish_date": "14-03-2025 16:03:26",
    "description": "On March 13, 2025, GitLab released security updates for Community Edition (CE) and Enterprise Edition (EE), addressing nine vulnerabilities, including two critical severity flaws in the \"ruby-saml\" library used for SAML Single Sign-On (SSO) authentication. <br>\nIt is recommended updating affected assets as soon as possible.<br>\n",
    "url_title": "2025-011",
    "content_markdown": "---\ntitle: 'Critical Vulnerabilities in\u00a0Gitlab'\nnumber: '2025-011'\nversion: '1.0'\noriginal_date: '2025-03-13'\ndate: '2025-03-14'\n---\n\n_History:_\n\n* _14/03/2025 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn March 13, 2025, GitLab released security updates for Community Edition (CE) and Enterprise Edition (EE), addressing nine vulnerabilities, including two critical severity flaws in the `ruby-saml` library used for SAML Single Sign-On (SSO) authentication [1]. \n\nIt is recommended updating affected assets as soon as possible.\n\n# Technical Details\n\nThe critical vulnerabilities **CVE-2025-25291** and **CVE-2025-25292** affect the `ruby-saml` library. If exploited, it could allow an attacker with access to a valid signed SAML document to impersonate another user within the same SAML IdP environment. This can result in unauthorised access to another user's account.\n\nThe vulnerability **CVE-2025-27407** is a high-severity remote code execution issue in the Ruby `graphql` library. If exploited, it allows an authenticated attacker to exploit the Direct Transfer feature (disabled by default) for remote code execution.\n\n# Affected Products\n\nThese vulnerabilities affect GitLab Community Edition (CE) and Enterprise Edition (EE) versions prior to 17.7.7, 17.8.5, and 17.9.2.\n\n# Recommendations\n\nCERT-EU recommends upgrading affected servers as soon as possible, prioritising Internet facing assets.\n\n## Workarounds\n\nIf immediate remediation is not possible, consider the following temporary mitigation:\n\n- Ensure all users have two-factor authentication (2FA) enabled.\n- Disable the `SAML two-factor bypass` option.\n- Request admin approval for auto-created users by setting:\n\n```gitlab_rails['omniauth_block_auto_created_users'] = true```\n\n# References\n\n[1] <https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released/>",
    "content_html": "<p><em>History:</em></p><ul><li><em>14/03/2025 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On March 13, 2025, GitLab released security updates for Community Edition (CE) and Enterprise Edition (EE), addressing nine vulnerabilities, including two critical severity flaws in the <code>ruby-saml</code> library used for SAML Single Sign-On (SSO) authentication [1]. </p><p>It is recommended updating affected assets as soon as possible.</p><h2 id=\"technical-details\">Technical Details</h2><p>The critical vulnerabilities <strong>CVE-2025-25291</strong> and <strong>CVE-2025-25292</strong> affect the <code>ruby-saml</code> library. If exploited, it could allow an attacker with access to a valid signed SAML document to impersonate another user within the same SAML IdP environment. This can result in unauthorised access to another user's account.</p><p>The vulnerability <strong>CVE-2025-27407</strong> is a high-severity remote code execution issue in the Ruby <code>graphql</code> library. If exploited, it allows an authenticated attacker to exploit the Direct Transfer feature (disabled by default) for remote code execution.</p><h2 id=\"affected-products\">Affected Products</h2><p>These vulnerabilities affect GitLab Community Edition (CE) and Enterprise Edition (EE) versions prior to 17.7.7, 17.8.5, and 17.9.2.</p><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU recommends upgrading affected servers as soon as possible, prioritising Internet facing assets.</p><h3 id=\"workarounds\">Workarounds</h3><p>If immediate remediation is not possible, consider the following temporary mitigation:</p><ul><li>Ensure all users have two-factor authentication (2FA) enabled.</li><li>Disable the <code>SAML two-factor bypass</code> option.</li><li>Request admin approval for auto-created users by setting:</li></ul><p><code>gitlab_rails['omniauth_block_auto_created_users'] = true</code></p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released/\">https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}