GitLab has released critical security updates for its Community Edition (CE) and Enterprise Edition (EE), addressing several vulnerabilities, including a high-severity cross-site scripting (XSS) flaw. 

The patched versions, 17.8.1, 17.7.3, and 17.6.4, are now available, and GitLab strongly recommends all self-managed installations upgrade immediately.

Vulnerabilities Addressed

XSS Vulnerability in File Rendering

The most critical issue addressed is improper rendering of certain file types causes a stored XSS vulnerability (CVE-2025-0314). This flaw impacts all versions from 17.2 before 17.6.4, 17.7 before 17.7.3, and 17.8 before 17.8.1. 

With a CVSS score of 8.7, this vulnerability allows attackers to inject malicious scripts into GitLab instances, potentially leading to session hijacking, data theft, or unauthorized system control.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The root cause lies in how GitLab renders certain file types using Asciidoctor, enabling attackers to embed malicious JavaScript payloads in files that execute within the victim’s browser context upon rendering. This could compromise user sessions or expose sensitive data.

The issue was responsibly disclosed by yvvdwf, a security researcher through GitLab’s HackerOne bug bounty program.

Protected CI/CD Variable Exfiltration via CI Lint (CVE-2024-11931)

This medium-severity flaw (CVSS: 6.4) allowed developers to exfiltrate sensitive CI/CD variables under specific conditions using the CI lint feature. It affects versions starting from 17.0 before the patched releases and was discovered by GitLab team member Greg Myers.

Cyclic Reference of Epics Leading to Resource Exhaustion (CVE-2024-6324)

A denial-of-service (DoS) vulnerability with a CVSS score of 4.3 was identified in versions starting from 15.7 before the patched releases. By creating cyclic references between epics, attackers could exhaust system resources, disrupting services.

Recommended Actions

GitLab urges all users to upgrade to the latest patched versions—17.8.1, 17.7.3, or 17.6.4—to mitigate these vulnerabilities.

To minimize risks, regularly update your GitLab instance, monitor logs for suspicious activity, educate users on recognizing phishing attempts and applying updates promptly and conduct periodic security audits.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar