GitLab has released security updates to address multiple vulnerabilities in its DevSecOps platform. These include issues that enable attackers to take over accounts and inject malicious jobs into future pipelines.
To fix these flaws, the company rolled out GitLab Community and Enterprise versions 18.0.2, 17.11.4, and 17.10.8. It also urged all admins to upgrade immediately.
“These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations upgrade to one of these versions immediately,” the company stated. “GitLab.com already runs the patched version. GitLab Dedicated customers do not need to take action.”
On Wednesday, GitLab fixed an HTML injection issue tracked as CVE-2025-4278. This vulnerability allows remote attackers to take over accounts by injecting malicious code into the search page.
Additionally, the company addressed a missing authorization issue (CVE-2025-5121) that affects GitLab Ultimate EE. This flaw allows remote threat actors to inject malicious CI/CD jobs into any project’s future CI/CD pipelines.
GitLab pipelines serve as a key Continuous Integration/Continuous Deployment (CI/CD) feature, enabling users to build, test, or deploy code changes sequentially—or automatically run tasks and processes in parallel.
However, attackers must have authenticated access to its instances with a GitLab Ultimate license to exploit these vulnerabilities successfully.
Furthermore, GitLab fixed a cross-site scripting vulnerability (CVE-2025-2254) that could allow attackers to act in the context of a legitimate user. It also resolved a denial of service (DoS) flaw (CVE-2025-0673) that lets malicious actors trigger infinite redirect loops, which can cause memory exhaustion and block access for legitimate users.
GitLab repositories continue to attract attackers due to the sensitive data they hold. Recent breaches at Europcar Mobility Group and Pearson highlight this trend, as both organizations reported compromises in their GitLab repos earlier this year.
Today, GitLab’s DevSecOps platform serves over 30 million registered users and supports more than 50% of Fortune 100 companies, including Goldman Sachs, Airbus, T-Mobile, Lockheed Martin, Nvidia, and UBS.
Source: BleepingComputer, Sergiu Gatlan
Read more at Impreza News
