Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: multiple high severity XSS vulnerabilities in Gitlab, patch immediately!
Image
Published : 04/03/2025
Reference:
Advisory #2025-48
Version:
1.0
Affected software:
Gitlab versions <17.7.6 <17.8.4 <17.9.1
Type:
Cross-site Scripting, Authorization Bypass
CVE/CVSS:
CVE-2025-0475: CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
CVE-2025-0555: CVSS 7.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N)
CVE-2024-8186: CVSS 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVE-2024-10925: CVSS 5.3 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N )
Sources
NVD: CVE-2025-0475 - https://nvd.nist.gov/vuln/detail/CVE-2025-0475
NVD: CVE-2025-0555 - https://nvd.nist.gov/vuln/detail/CVE-2025-0555
NVD: CVE-2024-8186 - https://nvd.nist.gov/vuln/detail/CVE-2024-8186
NVD: CVE-2024-10925 - https://nvd.nist.gov/vuln/detail/CVE-2024-10925
Risks
GitLab released a patch for multiple high-severity vulnerabilities on February 26th. The most severe issues involve cross-site scripting (XSS) vulnerabilities, which could allow a remote attacker with low privileges to inject unintended content and execute arbitrary scripts in a user’s browser.
These vulnerabilities could potentially compromise user data and security by bypassing security controls and therefore have a high impact on Confidentiality and Integrity.
Description
CVE-2025-0475: CVSS 8.7
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
This vulnerability could allow a remote attacker with low privileges to render unintended content leading to XSS under specific circumstances through the k8s proxy endpoint.
CVE-2025-0555: CVSS 7.7
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
This XSS vulnerability could allow a remote attacker with low privileges to bypass security controls and execute arbitrary scripts in a user's browser.
CVE-2024-8186: CVSS 5.4
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
This vulnerability could allow a remote attacker to inject HMTL into the child item search, which could lead to XSS on self-hosted instances.
CVE-2024-10925: CVSS 5.3
CWE-639: Authorization Bypass Through User-Controlled Key
This vulnerability allows a Guest user to read the Security policy YAML.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing. The vulnerabilities are fixed in versions 17.9.1, 17.8.4, 17.7.6, for which the release notes can be found at https://about.gitlab.com/releases/2025/02/26/patch-release-gitlab-17-9-1-released/.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
Patch release - https://about.gitlab.com/releases/2025/02/26/patch-release-gitlab-17-9-1...
Update page - https://about.gitlab.com/update/