![How to Use AI as a Productivity Tool with Mike Kaput [MAICON 2025 Speaker Series]](https://www.marketingaiinstitute.com/hubfs/v2MAICON-Speaker_Series.png)
![[The AI Show Episode 152]: ChatGPT Connectors, AI-Human Relationships, New AI Job Data, OpenAI Court-Ordered to Keep ChatGPT Logs & WPP’s Large Marketing Model](https://www.marketingaiinstitute.com/hubfs/ep%20152%20cover.png)
.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
_designer491_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![PSA: Widespread internet outage affects Spotify, Google, Discord, Cloudflare, more [U: Fixed]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2024/07/iCloud-Private-Relay-outage-resolved.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple Shares Teaser Trailer for 'The Lost Bus' Starring Matthew McConaughey [Video]](https://www.iclarified.com/images/news/97582/97582/97582-640.jpg)
Multiple GitLab Vulnerabilities Allow Attackers to Achieve Complete Account Takeover
A series of critical security vulnerabilities across GitLab Community Edition (CE) and Enterprise Edition (EE) platforms that could enable attackers to achieve complete account takeover and compromise entire development infrastructures. The company released emergency patch versions 18.0.2, 17.11.4, and 17.10.8 to address ten distinct security flaws, with several carrying high-severity CVSS scores above 8.0. These […] The post Multiple GitLab Vulnerabilities Allow Attackers to Achieve Complete Account Takeover appeared first on Cyber Security News.
A series of critical security vulnerabilities across GitLab Community Edition (CE) and Enterprise Edition (EE) platforms that could enable attackers to achieve complete account takeover and compromise entire development infrastructures.
The company released emergency patch versions 18.0.2, 17.11.4, and 17.10.8 to address ten distinct security flaws, with several carrying high-severity CVSS scores above 8.0.
These vulnerabilities affect millions of GitLab installations worldwide and pose significant risks to organizations’ source code repositories, CI/CD pipelines, and sensitive development data.
Account Takeover Vulnerabilities
The most severe vulnerability, CVE-2025-4278, presents an HTML injection flaw with a CVSS score of 8.7 that could allow attackers to achieve complete account takeover by injecting malicious code into GitLab’s search functionality.
Security researcher joaxcar discovered this critical flaw through GitLab’s HackerOne bug bounty program, affecting all GitLab CE/EE versions starting with 18.0 before 18.0.2.
Complementing this threat, CVE-2025-2254 represents a cross-site scripting (XSS) vulnerability with an identical CVSS score of 8.7.
This flaw enables attackers to execute malicious scripts within the snippet viewer, allowing them to impersonate legitimate users and perform unauthorized actions within their security context.
The vulnerability impacts GitLab CE/EE versions from 17.9 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2, demonstrating the widespread nature of these security gaps.
CI/CD DoS Attacks
GitLab Ultimate EE customers face an additional high-severity threat through CVE-2025-5121, a missing authorization vulnerability with a CVSS score of 8.5.
The flaw could allow authenticated attackers to inject malicious CI/CD jobs into all future pipelines across any project within a GitLab Ultimate instance.
The vulnerability affects GitLab Ultimate EE versions from 17.11 before 17.11.4 and 18.0 before 18.0.2, potentially compromising entire software development and deployment processes.
Multiple denial-of-service vulnerabilities compound these risks, including CVE-2025-0673 (CVSS 7.5), which enables attackers to trigger infinite redirect loops, causing server memory exhaustion.
Additional DoS vectors include CVE-2025-1516 and CVE-2025-1478, exploiting unbounded webhook token names and board names, respectively, both carrying CVSS scores of 6.5.
These vulnerabilities affect GitLab installations dating back to versions 8.7 and 8.13, indicating long-standing security weaknesses.
Immediate Patching Required
GitLab strongly recommends immediate upgrades to the latest patch versions for all self-managed installations, emphasizing that GitLab.com has already implemented the security fixes.
The vulnerabilities span multiple deployment types, including Omnibus, source code installations, and Helm charts, requiring comprehensive remediation efforts across diverse infrastructure configurations.
Organizations should prioritize upgrading affected systems immediately, as GitLab follows a responsible disclosure policy that makes vulnerability details public 30 days after patch release.
The company maintains that all customer-facing systems and data hosting environments must adhere to the highest security standards, making these patches critical for maintaining secure development environments.
Security teams should implement these updates during the next available maintenance window to prevent potential exploitation of these serious vulnerabilities.
Live Credential Theft Attack Unmask & Instant Defense – Free Webinar
The post Multiple GitLab Vulnerabilities Allow Attackers to Achieve Complete Account Takeover appeared first on Cyber Security News.
