Warning: Multiple High Severity XSS Vulnerabilities in GitLab, Patch Immediately!

Image
Decorative image
Published : 28/03/2025

    * Last update:  28/03/2025
    * Affected software:: Gitlab Community & Enterprise Edition
    * Type: Insufficient Granularity of Access Control, Incorrect Authorization, Allocation of Resources without Limits or Throttling
    * CVE/CVSS
        → CVE-2025-0811: CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
        → CVE-2025-2255: CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
        → CVE-2025-2242: CVSS 7.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
        → CVE-2024-12619: CVSS 5.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N)
        → CVE-2024-10307: CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
        → CVE-2024-9773: CVSS 3.7 (CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N)

Sources

https://nvd.nist.gov/vuln/detail/CVE-2025-0811
https://nvd.nist.gov/vuln/detail/CVE-2025-2255
https://nvd.nist.gov/vuln/detail/CVE-2025-2242
https://nvd.nist.gov/vuln/detail/CVE-2024-12619
https://nvd.nist.gov/vuln/detail/CVE-2024-10307

Risks

GitLab released security patches on 26-03 for several high severity Cross-Site Scripting (XSS) vulnerabilities in both GitLab Community & Enterprise Edition. All on-prem solutions are strongly advised to update to the latest version. An attacker with low privileges on the GitLab instance could render content to other users and administrators through XSS. This has a high impact on Confidentiality and Integrity of the GitLab instance.

Description

CVE-2025-0811: CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
This Cross-Site Scripting (XSS) vulnerability stems from the improper rendering of certain file types.

CVE-2025-2255: CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
This Cross-Site Scripting (XSS) vulnerability stems from certain error messages that are improperly rendered.

CVE-2025-2242: CVSS 7.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
CWE-863: Incorrect Authorization
This improper access vulnerability allows users that were once instance admin to maintain certain access rights after being downgraded to a regular user.

CVE-2024-12619: CVSS 5.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N)
CWE-1220: Insufficient Granularity of Access Control
This vulnerability allows internal users to gain unauthorized access to internal projects.

CVE-2024-10307: CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
CWE-770: Allocation of Resources Without Limits or Throttling
This vulnerability allows uncontrolled resource consumption via a maliciously crafted terraform file in a merge request.

CVE-2024-9773: CVSS 3.7 (CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N)
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
This vulnerability allows a maintainer to inject shell code in a Harbor project name configuration when using helper scripts.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing. The vulnerabilities have been patched in versions 17.10.1, 17.9.3 and 17.8.6 for both the Community and Enterprise Edition of GitLab.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

https://about.gitlab.com/releases/2025/03/26/patch-release-gitlab-17-10-1-released/