Developer Tools

In GitLab Duo with Amazon Q versions 17.8 before 17.8.6, 17.9 before 17.9.3 and 17.10 before 17.10.1 a medium severity vulnerability CVE-2025-2867 was detected. This vulnerability allows attackers to manipulate AI-assisted development features, potentially exposing sensitive project data to unauthorized users. To address this issue, users should upgrade GitLab Duo to versions 17.8.6, 17.9.3 or 17.10.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2867.

In GitLab versions 14.9 to 17.8.6, 17.9 to 17.9.3, and 17.10 to 17.10.1 a low severity input validation vulnerability CVE-2024-9773 was detected. This vulnerability could have allowed a maintainer to add malicious code to the CLI commands shown in the UI. To address this issue, users should upgrade GitLab to versions 17.8.6, 17.9.3 or 17.10.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-9773.

In GitLab CE/EE versions 17.7 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1 a high severity vulnerability CVE-2025-0811 was detected. This vulnerability allows attackers to execute cross-site scripting attacks due to improper rendering of certain file types. To address this issue, users should upgrade GitLab CE/EE to versions 17.8.6, 17.9.3 or 17.10.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0811.

In GitLab versions 17.4 to 17.8.6, 17.9 to 17.9.3 and 17.10 to 17.10.1 a high severity vulnerability CVE-2025-2242 was detected. This vulnerability allows a user who was previously an instance admin but has since been downgraded to a regular user to maintain elevated privileges over groups and projects. To address this issue, users should upgrade GitLab to versions 17.8.6, 17.9.3 or 17.10.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2242.

In GitLab versions 13.5.0 to 17.8.6, 17.9 to 17.9.3 and 17.10 to 17.10.1 a high severity vulnerability CVE-2025-2255 was detected. This vulnerability allows attackers to execute Cross-Site Scripting (XSS) attacks through certain error messages. To address this issue, users should upgrade GitLab to versions 17.8.6, 17.9.3 or 17.10.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2255.

In Kubernetes k8s.io/kubernetes/cmd/kube-apiserver package versions 1.3.0 up to and including 1.32.3 a low severity vulnerability CVE-2024-7598 was detected. This vulnerability allows attackers to bypass network restrictions enforced by network policies during namespace deletion, as the undefined order of object deletion may result in network policies being removed before the pods they protect, creating a brief window where network policies are not enforced. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-7598.

In GitLab EE versions 16.5 prior to 17.7.7, 17.8 prior to 17.8.5 and 17.9 prior to 17.9.2 a low severity vulnerability CVE-2024-7296 was detected. This vulnerability allows a user with custom permissions to approve pending membership requests beyond the maximum number of allowed users. To address this issue, users should upgrade GitLab EE to versions 17.7.7, 17.8.5 or 17.9.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-7296.

In GitLab EE versions 12.3 prior to 17.7.7, 17.8 prior to 17.8.5 and 17.9 prior to 17.9.2 a medium severity vulnerability CVE-2025-1257 was detected. This vulnerability allows attackers to cause a denial of service condition by manipulating specific API inputs. To address this issue, users should upgrade GitLab EE to versions 17.7.7, 17.8.5 or 17.9.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1257.

In GitLab EE versions 12.3 before 17.7.7, 17.8 before 17.8.5 and 17.9 before 17.9.2 a medium severity vulnerability CVE-2025-1257 was detected. This vulnerability allows attackers to cause a denial of service condition by manipulating specific API inputs. To address this issue, users should upgrade GitLab EE to versions 17.7.7, 17.8.5 or 17.9.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1257.