GitLab urges an urgent patch upgrade for two critical vulnerabilities causing data leaks.

Lưu Tuấn AnhLưu Tuấn Anh
5 min read

Overview

In February 2025, GitLab urged all self-managed GitLab systems to immediately upgrade to versions 17.9.1, 17.8.4, or 17.7.6 after discovering several critical vulnerabilities, including Cross-Site Scripting (XSS) flaws that could lead to data leaks.

In addition to the two critical vulnerabilities mentioned above, GitLab also fixed several other issues, including:

  • HTML Injection leading to XSS (CVE-2024-8186) - CVSS 5.4: A vulnerability in the sub-item search feature could lead to XSS attacks.

  • Improper authorization check allows guest users to read security policies (CVE-2024-10925) - CVSS 5.3: Guest users can read security policy YAML files.

  • Users with Planner permissions can read Code Review analytics in private projects (CVE-2025-0307) - CVSS 4.3: Users with restricted permissions can access sensitive analytics data.

Introduction to Vulnerabilities

  1. CVE-2025-0475

    • Description: Vulnerability in Kubernetes Proxy Endpoint

    • Impact: This vulnerability could allow an attacker to inject malicious code into the user's browser, steal login information, or carry out other attacks.

    • CVE Score: High

    • Severity: Dangerous

  2. CVE-2025-0555

    • Description: XSS Vulnerability in Maven Dependency Proxy

    • Impact: This vulnerability could allow an attacker to bypass security mechanisms and execute arbitrary code in the browser under certain conditions.

    • CVE Score: 7.7

    • Severity: High

Image

Affected Version

  • Affects all versions from 15.10 onwards

  • Affects GitLab-EE version 16.6 onwards

How to Exploit the Vulnerability

CVE-2025-0475

The XSS vulnerability in the Kubernetes Proxy Endpoint of GitLab (CVE-2025-0475) could allow an attacker to execute malicious JavaScript code on the victim's browser.

First, we need to clearly understand how the Kubernetes Proxy Endpoint works in GitLab:

  • GitLab uses the Kubernetes API proxy to connect and display data from Kubernetes resources within the GitLab UI.

  • When a request is sent to /kubernetes/proxy/, GitLab can fetch data from Kubernetes and display the response content on the web interface.

Attackers will exploit the security weakness in the configuration to carry out XSS attacks:

  • If the response from the Kubernetes API contains data that is not properly validated or escaped, an attacker could inject JavaScript code into this response.

  • This can happen when GitLab displays the content of the proxy response in HTML without protection.

From the configuration weakness, attackers will begin by crafting a malicious URL and sending a request to the Kubernetes Proxy Endpoint with an XSS payload.

\=> If GitLab does not handle it correctly, the victim's browser will execute malicious JavaScript code.

After crafting the malicious URL, the attacker will trick the victim into clicking the link by:

  • Send a phishing email or share a link containing the XSS payload.

  • When the victim opens the link in the browser, the malicious code will execute.

When attackers successfully exploit the vulnerability CVE-2025-0475, they can proceed to:

  • Steal session cookies (which could lead to account takeover in GitLab).

  • Cross-Site Request Forgery (CSRF) attacks to perform actions on behalf of the victim.

  • Inject malicious code into the GitLab interface to infect more users.

CVE-2025-0555

CVE-2025-0555 is a critical security vulnerability in GitLab Enterprise Edition (EE). This vulnerability allows attackers to bypass security controls and execute arbitrary scripts in the user's browser under specific conditions.

Similar to the previous CVE, CVE-2025-0555 exploits Cross-Site Scripting (XSS) in the Maven Dependency Proxy, and this vulnerability exists when:

  • The system does not properly validate or escape input data before displaying it on the web interface.

  • Attackers can inject malicious JavaScript code into error messages, URLs, or user inputs to execute code in the victim's browser.

Initially, a GitLab system with Maven Dependency Proxy affected by the XSS vulnerability can be exploited by an attacker as follows:

  • Step 1: The attacker will create a malicious Maven package containing XSS payloads in the metadata or URL.

\=> If the system displays this content without encoding the output, the victim's browser will execute the JavaScript code.

  • Step 2: Attackers can also inject XSS code into the URL of the Maven Proxy Endpoint.

\=> If GitLab does not properly handle this input, the user's browser will execute the malicious code when accessing the above URL.

  • Step 3: After creating malicious URLs containing XSS code, attackers will trick users into accessing them in two ways:

    • Attackers can send links via email, embed them in websites, or create fake packages to trick users into downloading them.

    • When users access the URL or open the infected Maven package, the malicious code will run.

  • Step 4: The attacker will collect user data:

    • Steal sensitive information: Cookies, login details, personal data.

    • Hijack session control: Perform actions on behalf of the user.

    • Spread malware: Infect other parts of the application or system.

Recommendations

  • Update GitLab: Users and administrators should upgrade GitLab to the patched versions, specifically 17.9.1, 17.8.4, or 17.7.6, to fix this vulnerability.

  • Check and monitor: Conduct regular checks and monitor the system to detect unusual activities that might be related to exploiting the vulnerability.

  • Security assessment: Regularly perform security assessments to identify and promptly address weaknesses in the system.

Conclusion

Both vulnerabilities named CVE-2025-0555 and CVE-2025-0475 are serious security flaws in the GitLab system. These vulnerabilities allow attackers to perform Cross-Site Scripting (XSS) attacks, which can lead to session hijacking, stealing login information, and unauthorized access to the system.

Additionally, attackers can escalate privileges and carry out a series of other attacks if they exploit these two vulnerabilities. Implementing the above measures will help reduce the risk of attacks and protect the security of your GitLab system.

IOC

  • Unusual activity in system logs:

    • Appearance of HTTP requests containing JavaScript code or suspicious strings in parameters related to Maven Dependency Proxy.

    • Requests from unknown or untrusted IP addresses accessing the endpoints of Maven Dependency Proxy.

  • Unusual user behavior:

    • Users report actions they did not perform, such as changing settings, creating or deleting projects, or other activities in GitLab.

  • Unexplained changes in configuration or data:

    • Detect changes in system configuration, files, or databases without a clear reason.

References

  1. GitLab Patch Release: 17.9.1, 17.8.4, 17.7.6 | GitLab

  2. CVE-2025-0475 & CVE-2025-0555: GitLab's High-Risk Patch Now

0
Subscribe to my newsletter

Read articles from Lưu Tuấn Anh directly inside your inbox. Subscribe to the newsletter, and don't miss out.

CVEGitLabthreat intelligence

Written by

Lưu Tuấn Anh
Lưu Tuấn Anh