Developer Tools

In GitLab CE/EE versions from 15.10 before 18.0.5, 18.1 before 18.1.3 and 18.2 before 18.2.1 a high severity vulnerability CVE-2025-4439 was discovered. This vulnerability could have allowed an authenticated user to perform cross-site scripting (XSS) attacks when the GitLab instance is served through certain content delivery networks (CDNs). To address this issue, users should upgrade GitLab CE/EE to versions 18.0.5, 18.1.3 and 18.2.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4439.

In ZITADEL versions from 2.53.0 up to but not including 4.0.0-rc.2, 3.3.2, 2.71.13 and 2.70.14 a high severity vulnerability CVE-2025-53895 was detected. This vulnerability allows any authenticated user to hijack sessions and impersonate other users by updating arbitrary sessions using only the session ID, due to missing authorization checks in the session management API. To address this issue, users should upgrade ZITADEL to versions 4.0.0-rc.2, 3.3.2, 2.71.13 or 2.70.14. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-53895.

In GitLab EE versions from 13.3 up to 17.11.6, 18.0.4, and 18.1.2 a medium severity vulnerability CVE-2025-3396 was detected. This vulnerability allows attakers to bypass group-level forking restrictions by manipulating API requests. To fix this issue, users should upgrade GitLab EE to versions 17.11.6, 18.0.4, or 18.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3396.

In GitLab EE versions from 18.0 up to 18.0.4 and 18.1.2 a low severity vulnerability CVE-2025-6168 was detected. This vulnerability allows attackers to bypass group-level user invitation restrictions by sending specially crafted API requests. To fix this issue, users should upgrade GitLab EE to versions 18.0.4 or 18.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6168.

In GitLab CE/EE versions from 17.11 up to 17.11.6, 18.0.4, and 18.1.2 a high severity vulnerability CVE-2025-6948 was detected. This vulnerability allows attackers to perform actions on behalf of other users by injecting malicious content. To fix this issue, users should upgrade GitLab to versions 17.11.6, 18.0.4, or 18.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6948.

In GitLab EE versions from 18.0 up to 18.0.4 and 18.1.2 a medium severity vulnerability CVE-2025-4972 was detected. This vulnerability allows attackers with invitation privileges to bypass group-level user invitation restrictions by manipulating the group invitation functionality. To fix this issue, users should upgrade GitLab EE to versions 18.0.4 or 18.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4972.

In Helm versions prior to 3.18.4 a medium severity vulnerability CVE-2025-53547 was detected. This vulnerability allows attackers to trick Helm into overwriting important system files, which can make the system run harmful commands without the user knowing. To fix this vulnerability users should update Helm to version 3.18.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-53547.

In GitLab CE/EE versions from 17.2 before 17.11.5, 18.0 before 18.0.3 and 18.1 before 18.1.1 a medium severity vulnerability CVE-2025-1754 was detected. This vulnerability allows unauthenticated attackers to upload arbitrary files to public projects via crafted API requests, potentially resulting in resource abuse and unauthorized content storage. To address this issue, users should upgrade GitLab CE/EE to versions 17.11.5, 18.0.3 or 18.1.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1754.

In GitLab CE/EE versions from 17.3 before 17.11.5, 18.0 before 18.0.3 and 18.1 before 18.1.1 a low severity vulnerability CVE-2025-2938 was detected. This vulnerability allows authenticated users to gain elevated project privileges by requesting access to projects where role changes during the approval process could unintentionally grant higher permissions. To address this issue, users should upgrade GitLab CE/EE to versions 17.11.5, 18.0.3 or 18.1.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2938.