GitLab Warns of Multiple Vulnerabilities Let Attackers Login as Valid User

GitLab has released critical security patches for multiple vulnerabilities that could potentially allow attackers to authenticate as legitimate users or even execute remote code under specific circumstances. 

The company has urged all self-managed GitLab installations to immediately upgrade to versions 17.9.2, 17.8.5, or 17.7.7 for both Community Edition (CE) and Enterprise Edition (EE) to address these security issues.

Critical Authentication Bypass Vulnerabilities

The most severe security issues identified are CVE-2025-25291 and CVE-2025-25292, which affect the ruby-saml library utilized by GitLab for SAML Single Sign-On (SSO) authentication. 

These vulnerabilities have been classified as “Critical” in severity due to their potential impact on authentication systems. 

According to GitLab’s security advisory, an attacker with access to a valid signed SAML document from an Identity Provider (IdP) could exploit these vulnerabilities to authenticate as another legitimate user within the environment’s SAML IdP.

For organizations that cannot immediately update their GitLab instances, several mitigation steps have been recommended. 

These include enabling GitLab’s native two-factor authentication for all user accounts, disabling the SAML two-factor bypass option, and requiring administrative approval for automatically created new users by setting gitlab_rails[‘omniauth_block_auto_created_users’] = true in the configuration.

Risk Factors	Details
Affected Products	GitLab CE/EE using SAML SSO; ruby-saml library (versions >= 1.13.0, < 1.18.0 and < 1.12.4)
Impact	Authentication bypass
Exploit Prerequisites	Access to signed SAML document from the IdP
CVSS 3.1 Score	Critical

Remote Code Execution Risk in GraphQL Library

Additionally, GitLab has addressed CVE-2025-27407, a “High” severity vulnerability discovered in the Ruby graphql library.

This vulnerability presents a particularly concerning risk as it could potentially enable remote code execution under specific circumstances. 

The vulnerability can be exploited if an attacker-controlled authenticated user account attempts to transfer a maliciously-crafted project via the Direct Transfer feature, which is currently in beta stage and disabled by default for all self-managed GitLab instances.

Organizations unable to update immediately can mitigate this risk by ensuring the Direct Transfer feature remains disabled, which is its default state for self-managed installations. 

GitLab has acknowledged the work of security researcher “yvvdwf” who reported this vulnerability through their HackerOne bug bounty program, as well as Robert Mosolgo from ruby-graphql for collaboration on cross-vendor disclosure and remediation efforts.

Risk Factors	Details
Affected Products	GitLab CE/EE, Ruby graphql library
Impact	Remote code execution
Exploit Prerequisites	Authenticated user account
CVSS 3.1 Score	High

PostgreSQL Updates and Bug Fixes

As part of this security release, GitLab has also upgraded its PostgreSQL versions to 14.17 and 16.8, following the PostgreSQL project’s own security updates. 

The patch releases include various bug fixes addressing issues such as search timeout problems with special characters, project repository logic, and improvements to development kit components.

GitLab is already running the patched versions, meaning cloud users are protected from these vulnerabilities.

GitLab Dedicated customers have been advised that they do not need to take immediate action and will be notified once their instances have been patched automatically.

Security experts recommend that organizations running GitLab implement these updates as soon as possible, especially those using SAML authentication or considering enabling the Direct Transfer feature.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.