Developer Tools

In GitLab all versions from 15.11 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 a medium severity vulnerability CVE-2023-6386 was detected. This vulnerability allows attackers to spike the GitLab instance’s resource usage, leading to service degradation and potential downtime. To fix this issue, users should upgrade GitLab CE/EE to versions 16.6.7, 16.7.5, or 16.8.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2023-6386.

In GitLab versions from 13.6 to 17.2.9, 17.3 to 17.3.5 and 17.4 to 17.4.2 a high severity vulnerability CVE-2024-9631 was detected. This vulnerability causes significant delays in responsiveness when viewing diffs of merge requests with conflicts, affecting workflow efficiency during code reviews. To address this issue, users should upgrade GitLab to versions 17.2.9, 17.3.5, 17.4.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-9631.

In Git LFS versions prior to 3.6.1 a high severity vulnerability CVE-2024-53263 was detected. This vulnerability allows an attacker to retrieve a user’s Git credentials by inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) into the URL. To address this issue, users should upgrade Git LFS to version 3.6.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-53263.

In GitLab EE versions 16.0 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 a medium severity vulnerability CVE-2024-6356 was detected. This vulnerability allows unauthorized cross-project access for the Security Policy Bot. To address this issue, users should upgrade GitLab EE to versions 17.8.1, 17.7.3, or 17.6.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-6356.

In Argo CD versions 2.13.4, 2.12.10 and 2.11.13 a medium severity vulnerability CVE-2025-23216 was detected.
This vulnerability allows attackers with write access to expose secret values in error messages and the diff view by syncing an invalid Kubernetes Secret, making them visible to any user with read access to Argo CD. To address this issue, users should upgrade Argo CD to version 2.13.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-23216.

In GitLab CE/EE versions 10.6 up to 16.9.7, 16.10 up to 16.10.5, and 16.11 up to 16.11.2 a medium severity vulnerability CVE-2024-1211 was detected. This vulnerability allows attackers to potentially exploit cross-site request forgery (CSRF) on GitLab instances configured to use JWT as an OmniAuth provider. To address this issue, users should upgrade GitLab CE/EE to versions 16.11.2, 16.10.5 or 16.9.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-1211.

In GitLab CE/EE versions 15.5 up to 16.9.7, 16.10 up to 16.10.5, and 16.11 up to 16.11.2 a low severity vulnerability CVE-2023-6195 was detected. This vulnerability allows attackers to exploit server-side request forgery (SSRF) by using a malicious URL in the markdown image value when importing a GitHub repository. To address this issue, users should upgrade GitLab CE/EE to versions 16.11.2, 16.10.5 or 16.9.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2023-6195.

In GitLab CE/EE versions starting from 15.0 prior to 17.5.5, from 17.6 prior to 17.6.3 and from 17.7 prior to 17.7.1 a medium severity vulnerability CVE-2025-0290 was detected. This vulnerability allows attackers to cause background jobs to become unresponsive by exploiting the processing of CI artifacts metadata under certain conditions. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0290.

In Jenkins GitLab Plugin versions 1.9.6 and prior a medium severity vulnerability CVE-2025-24397 was detected. This vulnerability allows attackers with global Item/Configure permission to enumerate credential IDs of GitLab API token and Secret text credentials, even without Item/Configure permission on specific jobs. To address this issue, users should upgrade Jenkins GitLab Plugin to version 1.9.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-24397.