Developer Tools

In GitLab CE/EE versions from 10.7 before 17.11.5, 18.0 before 18.0.3 and 18.1 before 18.1.1 a medium severity vulnerability CVE-2025-3279 was detected. This vulnerability allows authenticated attackers to create a denial-of-service (DoS) condition by sending specially crafted GraphQL requests. To address this issue, users should upgrade GitLab CE/EE to versions 17.11.5, 18.0.3 or 18.1.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3279.

In GitLab CE/EE versions from 17.2 before 17.11.5, 18.0 before 18.0.3 and 18.1 before 18.1.1 a medium severity vulnerability CVE-2025-5315 was detected. This vulnerability allows authenticated users with Guest role permissions to add child items to incident work items by sending crafted API requests that bypass UI-enforced role restrictions. To address this issue, users should upgrade GitLab CE/EE to versions 17.11.5, 18.0.3 or 18.1.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5315.

In GitLab EE versions from 16.10 before 17.11.5, 18.0 before 18.0.3 and 18.1 before 18.1.1 a low severity vulnerability CVE-2025-5846 was detected. This vulnerability allows authenticated users to assign unrelated compliance frameworks to projects by sending crafted GraphQL mutations that bypass framework-specific permission checks. To address this issue, users should upgrade GitLab EE to versions 17.11.5, 18.0.3 or 18.1.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5846.

In Gogs versions prior to 0.13.3 a critical severity vulnerability CVE-2024-56731 was detected. This vulnerability allows unprivileged users to delete files under the .git directory and execute arbitrary commands with the privileges of the configured RUN_USER, enabling remote command execution and unauthorized modification of other users’ code hosted on the same instance. To address this issue, users should upgrade to versions 0.13.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-56731.

In Kubernetes kube-apiserver versions 1.32.0 up to 1.32.5 and 1.33.0 up to 1.33.1 a high severity vulnerability CVE-2025-4563 was detected. This vulnerability allows compromised nodes to bypass authorization checks during pod creation and access unauthorized dynamic resources, potentially leading to privilege escalation. To address this issue, users should upgrade Kubernetes kube-apiserver to versions 1.32.6 or later, 1.33.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4563.

In Gogs versions 0.14.0+dev and prior a medium severity vulnerability CVE-2025-47943 was detected. This vulnerability allows attackers to execute arbitrary JavaScript in the user’s browser via a stored cross-site scripting (XSS) issue caused by the inclusion of a vulnerable pdfjs-1.4.20 component. To address this issue, users should upgrade Gogs to versions 0.13.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-47943.

In GitLab EE versions from 16.0 before 16.3.6, from 16.4 before 16.4.2 and from 16.5 before 16.5.1 a low severity vulnerability CVE-2023-5600 was detected. This vulnerability allows unauthorized users to gain arbitrary access to the titles of private specific references through the service-desk custom email template. To address this issue, users should upgrade GitLab EE to versions 16.3.6, 16.4.2 or 16.5.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2023-5600.

In GitLab CE/EE versions from 17.11 before 17.11.4 and 18.0 before 18.0.2 a high severity vulnerability CVE-2025-5121 was detected. This vulnerability allows attackers to apply compliance frameworks to projects outside of the intended compliance framework’s group due to a missing authorization check. To address this issue, users should upgrade GitLab CE/EE to versions 17.11.4 or 18.0.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5121.

In GitLab EE versions from 16.6 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1 a high severity vulnerability CVE-2025-2443 was detected. This vulnerability allows attackers to perform cross-site scripting (XSS) attacks and bypass content security policy (CSP) protections in the user’s browser under specific conditions. To address this issue, users should upgrade GitLab EE to versions 17.9.7, 17.10.5 or 17.11.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2443.