--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: The Cybersecurity Service for the Union institutions, bodies, offices and agencies title: 'High Severity Vulnerabilities in Gitlab Products' number: '2025-020' version: '1.0' original_date: '2025-06-12' date: '2025-06-12' --- _History:_ * _12/06/2025 --- v1.0 -- Initial publication_ # Summary On 11 June 2025, Gitlab released security updates for their products addressing multiple vulnerabilities in Gitlab Community Edition (CE) and Enterprise Edition (EE) [1]. It is recommended updating affected Gitlab installations as soon as possible. # Technical Details The vulnerability **CVE-2025-4278**, with a CVSS score of 8.7, is an issue that, under certain conditions, could have allowed a successful attacker to achieve account takeover by injecting code into the search page. The vulnerability **CVE-2025-2254**, with a CVSS score of 8.7, is a cross-site scripting (XSS) issue that, under certain conditions, could have allowed a successful attacker to act in the context of a legitimate user by injecting a malicious script into the snippet viewer. The vulnerability **CVE-2025-5121**, with a CVSS score of 8.5, is a missing authorisation vulnerability that, under certain conditions, could have allowed a successful attacker with authenticated access to a GitLab instance with a GitLab Ultimate license applied (paid customer or trial) to inject a malicious CI/CD job into all future CI/CD pipelines of any project. The vulnerability **CVE-2025-0673**, with a CVSS score of 7.5, is an issue that could have allowed a successful attacker to deny access to legitimate users of the targeted system by triggering an infinite redirect loop causing memory exhaustion on the server. Gitlab also fixes 5 medium and 1 low severity vulnerabilities. # Affected Products The following products and versions are affected by one or more high severity vulnerabilities [1]: - GitLab CE/EE: all versions from 7.7 before 17.10.8, 17.9 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2 - GitLab Ultimate EE from 17.11 before 17.11.4 and 18.0 before 18.0.2 # Recommendations It is recommended updating affected Gitlab installations as soon as possible. # References [1]