Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: High severity vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE), Patch Immediately!
Image
Published : 12/12/2025
* Last update: 12/12/2025
* Affected software:
→ • GitLab Community Edition (CE) and Enterprise Edition (EE)* Type:
→ • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
→ • CWE-116: Improper Encoding or Escaping of Output
→ • CWE-209: Generation of Error Message Containing Sensitive Information
→ • CWE-288: Authentication Bypass Using an Alternate Path or Channel
→ • CWE-770: Allocation of Resources Without Limits or Throttling
* CVE/CVSS→ • CVE-2025-12716: CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
→ • CVE-2025-8405: CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
→ • CVE-2025-12029: CVSS 8.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N)
→ • CVE-2025-12562: CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
→ • CVE-2025-11984: CVSS 6.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)
→ • CVE-2025-4097: CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
→ • CVE-2025-14157: CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
→ • CVE-2025-11247: CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
→ • CVE-2025-13978: CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
→ • CVE-2025-12734: CVSS 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)
Sources
Risks
Multiple high and medium severity vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE) platforms have been patched in the new versions released 18.6.2, 18.5.4, 18.4.6.
The four high severity vulnerabilities patched involved cross-site scripting attacks (CVE-2025-12716 and CVE-2025-12029), improper encoding in vulnerability reports (CVE-2025-8405) and Denial of Service attacks (CVE-2025-12562). These have a high impact on Confidentiality, Integrity, and Availability.
Description
CVE-2025-12716 is a cross-site scripting issue in Wiki that impacts GitLab CE/EE versions from 18.4 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2.
Under certain conditions, exploiting vulnerability could allow an authenticated user to perform unauthorised actions on behalf of another user by creating wiki pages with malicious content.
CVE-2025-8405 is an improper encoding in vulnerability reports that impacts GitLab CE/EE versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2.
By exploiting the vulnerability, an authenticated user could have performed unauthorised actions on behalf of other users by injecting malicious HTML into vulnerability code flow displays.
CVE-2025-12029 is a cross-site scripting vulnerability in Swagger UI that impacts GitLab CE/EE versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2.
Under certain circumstances an unauthenticated user could exploit the vulnerability to perform unauthorised actions on behalf of another user by injecting malicious external scripts into the Swagger UI.
CVE-2025-12562 is a denial of service vulnerability in GraphQL endpoints that impacts GitLab CE/EE versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2.
The vulnerability could allow an unauthenticated user to create a denial of service condition by sending crafted GraphQL queries that bypass query complexity limits.
Recommended Actions
Patch
GitLab released versions 18.6.2, 18.5.4, 18.4.6 for GitLab CE/EE and recommends that all self-managed GitLab installations be upgraded to one of these versions immediately.
GitLab.com is already running the patched version and GitLab Dedicated customers do not need to take action.
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/report-incident.
While patching appliances or software to the newest version or implementing specific mitigations may protect against future exploitation, it does not remediate historic compromise.
References
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12716
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8405
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12029
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12562
GitLab: https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/#cve-2025-12562---denial-of-service-issue-in-graphql-endpoints-impacts-gitlab-ceee