CyberSecurity news
FlagThis
@cyberpress.org
//
GitLab has issued critical security updates on June 11, 2025, to address multiple vulnerabilities in both the Community Edition (CE) and Enterprise Edition (EE) of its platform. These patches are crucial for self-managed GitLab installations, with experts urging immediate upgrades to prevent potential exploits. The updates tackle high-severity vulnerabilities that could allow attackers to achieve complete account takeover and compromise enterprise development environments, emphasizing the importance of proactive security measures in DevSecOps environments.
One of the most concerning vulnerabilities, CVE-2025-5121, affects GitLab Ultimate EE customers and carries a CVSS score of 8.5. This missing authorization issue allows attackers with authenticated access to a GitLab instance with a GitLab Ultimate license to inject malicious CI/CD jobs into all future pipelines of any project. This can lead to backdoors being added, validation steps being skipped, and secrets used during the build process being exposed, significantly compromising the software development lifecycle.
Other notable vulnerabilities addressed in this patch release include CVE-2025-4278, an HTML injection vulnerability with a CVSS score of 8.7 that could lead to account takeover, and CVE-2025-2254, a cross-site scripting (XSS) vulnerability, also with a CVSS score of 8.7, allowing attackers to act in the context of legitimate users. GitLab has released versions 18.0.2, 17.11.4, and 17.10.8 for both CE and EE to address these issues, and it's strongly recommended that all affected installations be updated as soon as possible.
ImgSrc: blogger.googleu
References :
One of the most concerning vulnerabilities, CVE-2025-5121, affects GitLab Ultimate EE customers and carries a CVSS score of 8.5. This missing authorization issue allows attackers with authenticated access to a GitLab instance with a GitLab Ultimate license to inject malicious CI/CD jobs into all future pipelines of any project. This can lead to backdoors being added, validation steps being skipped, and secrets used during the build process being exposed, significantly compromising the software development lifecycle.
Other notable vulnerabilities addressed in this patch release include CVE-2025-4278, an HTML injection vulnerability with a CVSS score of 8.7 that could lead to account takeover, and CVE-2025-2254, a cross-site scripting (XSS) vulnerability, also with a CVSS score of 8.7, allowing attackers to act in the context of legitimate users. GitLab has released versions 18.0.2, 17.11.4, and 17.10.8 for both CE and EE to address these issues, and it's strongly recommended that all affected installations be updated as soon as possible.
ImgSrc: blogger.googleu
Share:
References :
- cert.europa.eu: On 11 June 2025, Gitlab released security updates for their products addressing multiple vulnerabilities in Gitlab Community Edition (CE) and Enterprise Edition (EE).
- www.csoonline.com: A new vulnerability in GitLab’s Ultimate Enterprise Edition used for managing source code is “dangerous†and needs to be quickly patched, says an expert.
- Cyber Security News: GitLab has released critical security patches addressing multiple high-severity vulnerabilities that could enable attackers to achieve complete account takeover and compromise enterprise development environments.
- The DefendOps Diaries: Explore GitLab's proactive measures to patch high-severity vulnerabilities and enhance security in DevSecOps environments.
Classification:
- HashTags: #GitLab #Vulnerability #Security
- Company: GitLab
- Target: GitLab users
- Product: GitLab
- Feature: missing authorization issue
- Malware: CVE-2025-5121
- Type: Vulnerability
- Severity: High