GitLab has released security updates addressing multiple high-severity vulnerabilities in its DevSecOps platform, including flaws that could allow attackers to take over user accounts and inject malicious jobs into CI/CD pipelines. The patches, released on June 11, 2025, cover four critical CVEs with CVSS scores ranging from 7.5 to 8.71. This comes six months after GitLab addressed CVE-2023-7028, another account takeover vulnerability that saw active exploitation in the wild2.
Vulnerability Breakdown
The most severe issue, CVE-2025-4278 (CVSS 8.7), involves HTML injection through GitLab’s search functionality. Attackers could craft malicious search queries containing JavaScript that executes when viewed by administrators, potentially leading to session hijacking. This affects all GitLab Community and Enterprise Edition versions 18.0.0 through 18.0.11.
CVE-2025-5121 (CVSS 8.5) impacts GitLab Ultimate EE versions 17.11.0-17.11.3 and 18.0.0-18.0.1. The missing authorization flaw allows authenticated users to inject arbitrary jobs into CI/CD pipelines, which could lead to credential theft or lateral movement within build environments. GitLab’s documentation confirms this requires the attacker to have at least Developer-level permissions3.
Detection and Mitigation
Organizations should immediately upgrade to GitLab 18.0.2, 17.11.4, or 17.10.8. For environments where immediate patching isn’t feasible, GitLab recommends:
- Enforcing mandatory 2FA for all accounts
- Monitoring authentication logs for unusual patterns
- Reviewing pipeline execution history for unauthorized job injections
The historical CVE-2023-7028 exploit provides indicators of compromise that remain relevant. Security teams should watch for array-based params.value.email in password reset requests and spikes in password reset emails2. GitLab’s integrated error tracking can help detect exploitation attempts when configured with proper alert thresholds4.
Security Enhancements
GitLab has expanded its AI-powered security features since the 2023 incident. The platform now uses Claude 3 Haiku to summarize vulnerabilities and suggest fixes. For SAST findings, it can automatically generate merge requests addressing common issues like SQLi and XSS3. These capabilities may help organizations respond faster to future vulnerabilities.
The June 2025 patches demonstrate GitLab’s continued investment in securing its DevSecOps platform. However, the recurrence of account takeover vulnerabilities highlights the importance of defense-in-depth measures beyond patching, particularly for organizations using GitLab as their primary code repository.
References
- “GitLab patches high severity account takeover, missing auth issues,” BleepingComputer, Jun. 2025. [Online]. Available: https://www.bleepingcomputer.com/news/security/gitlab-patches-high-severity-account-takeover-missing-auth-issues
- “GitLab Release Notes,” GitLab, Jun. 11, 2025. [Online]. Available: https://about.gitlab.com/releases/2025/06/11/patch-release-gitlab-18-0-2-released
- “GitLab Docs: Vulnerability Management,” GitLab. [Online]. Available: https://docs.gitlab.com/user/application_security/vulnerabilities
- “GitLab Error Tracking Docs,” GitLab. [Online]. Available: https://docs.gitlab.com/operations/integrated_error_tracking
