.webp?w=1600&resize=1600,900&ssl=1 "GitLab Security Update")
GitLab has released critical security patches addressing multiple high-severity vulnerabilities in its platform, highlighting robust security measures amid increasing cyber threats.
The company has issued patch versions 17.11.1, 17.10.5, and 17.9.7 for both Community Edition (CE) and Enterprise Edition (EE).
These updates address significant flaws, including cross-site scripting (XSS), denial-of-service (DoS), and account takeover risks, while also delivering a suite of significant bug fixes.
.png
)
Significant Vulnerabilities Addressed
The security update tackles several significant vulnerabilities that posed substantial risks to GitLab installations.
Two critical cross-site scripting (XSS) issues have been remediated in the Maven Dependency Proxy.
The first vulnerability (CVE-2025-1763) allowed attackers to bypass content security policy directives and received a high CVSS score of 8.7.
A nearly identical XSS vulnerability exploiting misconfigured cache headers was also fixed and assigned the identifier CVE-2025-2443.
Additionally, GitLab patched a Network Error Logging (NEL) header injection vulnerability (CVE-2025-1908, CVSS 7.7) that could potentially enable malicious actors to monitor user browser activity, potentially facilitating complete account takeovers.
A medium-severity denial of service (DoS) vulnerability affecting the issue preview feature was addressed under CVE-2025-0639 with a CVSS score of 6.5.
Furthermore, an access control flaw permitting unauthorized viewing of branch names even when repository assets were disabled was fixed and assigned CVE-2024-12244 with a score of 4.3.
Significant Bug Fixes in This Release
GitLab’s patch releases also resolve a range of impactful bugs, further enhancing stability and performance:
17.11.1
- Pipeline Security: allow_composite_identities_to_run_pipelines now protected behind a feature flag.
- Amazon Q Integration: Fixed disconnects and documentation errors for Amazon Q.
- CI/CD Improvements: Corrected string conversion for CI Inputs; improved handling of latest DS templates with Static Reachability.
- Cloud Connector: Tokens now sync hourly for better reliability.
- Workhorse & Gitaly: Updated dependencies for improved performance and stability.
- UI Fixes: Resolved file attachment issues in the new interface look.
17.10.5
- Mailroom Location: Fixed Universal Base Image (UBI) mailroom path issues.
- Go gRPC Update: Upgraded to version 1.71.1 for enhanced security.
- Zoekt Indexing: Multiple fixes to project filtering, node management, and instant eviction of indices.
- Session Security: Session cookies are now cleared when the browser closes, reducing risk of session hijacking.
- AI Events Backfill: Improved data backfill from PostgreSQL to ClickHouse.
- Cloud Connector: Hourly token sync patch backported.
17.9.7
- FIPS & UBI: Backported pipeline naming fixes for compliance.
- Encryption Keys: Introduced gitlab:doctor:encryption_keys task for easier key management.
- Workhorse & Gitaly: Updated dependencies for stability.
- Mailroom Location: UBI mailroom path fix backported.
- Go gRPC Update: Security update to 1.71.1.
As cyber threats continue to evolve in sophistication, GitLab maintains its proactive approach through transparent communication and timely security patches.
According to the advisory, Security experts strongly recommend that organizations upgrade their installations immediately to mitigate risks associated with these known vulnerabilities.
This update exemplifies the collaborative nature of the open-source community, with vulnerability reports submitted through the HackerOne bug bounty program receiving recognition.
As the digital threat landscape becomes increasingly complex, organizations should adhere to cybersecurity best practices, including regular system audits and prompt update application, to ensure continuous service and data protection.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
