GitLab Vulnerabilities Let Attackers Bypass Security Controls & Execute Arbitrary Code

GitLab has issued a security advisory warning of multiple high-risk vulnerabilities in its DevOps platform, including two critical Cross-Site Scripting (XSS) flaws enabling attackers to bypass security controls and execute malicious scripts in user browsers. The vulnerabilities – tracked as CVE-2025-0475 (CVSS 8.7) and CVE-2025-0555 (CVSS 7.7) – affect self-managed instances across multiple versions, with […] The post GitLab Vulnerabilities Let Attackers Bypass Security Controls & Execute Arbitrary Code appeared first on Cyber Security News.

Feb 27, 2025 - 13:36

GitLab Vulnerabilities Let Attackers Bypass Security Controls & Execute Arbitrary Code

GitLab has issued a security advisory warning of multiple high-risk vulnerabilities in its DevOps platform, including two critical Cross-Site Scripting (XSS) flaws enabling attackers to bypass security controls and execute malicious scripts in user browsers.

The vulnerabilities – tracked as CVE-2025-0475 (CVSS 8.7) and CVE-2025-0555 (CVSS 7.7) – affect self-managed instances across multiple versions, with exploit scenarios allowing session hijacking, credential theft, and unauthorized system access.

Critical Kubernetes Proxy Vulnerability (CVE-2025-0475)

The high-severity XSS flaw in GitLab’s Kubernetes proxy endpoint impacts all versions from 15.10 through 17.9.0.

Attackers exploiting this vulnerability can inject malicious JavaScript payloads through improperly sanitized proxy responses, leading to DOM-based XSS attacks.

“A proxy feature could potentially allow unintended content rendering leading to XSS under specific circumstances,” reads GitLab advisory.

The attack vector (AV:N/AC:L/PR:L) requires network access and low attacker privileges but enables full compromise of user sessions through crafted HTTP responses. Successful exploitation allows attackers to:

Steal session cookies via document.cookie exfiltration
Modify CI/CD pipeline configurations using XMLHttpRequest
Deploy malicious containers via Kubernetes API interactions

Maven Dependency Proxy XSS Bypass (CVE-2025-0555)

A separate XSS vulnerability in the Maven Dependency Proxy affects GitLab-EE versions 16.6 through 17.9.0.

This flaw enables attackers to bypass Content Security Policy (CSP) restrictions using specially crafted dependency metadata files containing JavaScript payloads. The vulnerability leverages improper input validation in Maven artifact processing.

GitLab confirms this allows “Bypass security controls and execute arbitrary scripts in a user’s browser under specific conditions.”

The attack complexity (AC:H) requires precise timing but enables privilege escalation from Developer to Maintainer roles.

Medium-Severity Vulnerabilities

Three medium-severity vulnerabilities compound the risk landscape:

CVE-2024-8186: HTML injection via child item search (CVSS 5.4) enabling limited XSS in self-hosted instances.
CVE-2024-10925: Guest user access to security policy YAML files (CVSS 5.3) exposing compliance rules.
CVE-2025-0307: Planner role accessing code review analytics (CVSS 4.3) revealing sensitive metrics.

GitLab’s bug bounty program credited researchers joaxcar, yuki_osaki, and weasterhacker for discovering these vulnerabilities, underscoring the platform’s reliance on community-driven security.

GitLab has released patched versions 17.9.1, 17.8.4, and 17.7.6. Security analysts warn unpatched GitLab instances remain prime targets for APT groups, with XSS vulnerabilities increasingly weaponized in software supply chain attacks.

All organizations using affected GitLab versions should treat this as a critical infrastructure update. Delaying patching beyond 48 hours significantly increases the risk of compromise, given the published exploit details and existing proof-of-concept code in underground forums.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free

The post GitLab Vulnerabilities Let Attackers Bypass Security Controls & Execute Arbitrary Code appeared first on Cyber Security News.