GitLab Flaws Expose Millions to Account Takeover Risk

GitLab has issued emergency patches to fix ten security vulnerabilities affecting its Community Edition (CE) and Enterprise Edition (EE) platforms, some of which could allow complete account takeover. The flaws span versions 17.9 through 18.0 and include high-severity vulnerabilities with CVSS scores exceeding 8.0. The most critical, CVE-2025-4278, is an HTML injection flaw that impacts GitLab’s search functionality. Another, CVE-2025-2254, is an XSS vulnerability in the snippet viewer.

GitLab Ultimate EE users face additional risk from CVE-2025-5121, which could let attackers inject malicious CI/CD jobs. Several denial-of-service flaws, including CVE-2025-0673, CVE-2025-1516, and CVE-2025-1478, also pose threats to server stability, affecting versions as far back as 8.7.

Patches are available in versions 18.0.2, 17.11.4, and 17.10.8. GitLab.com has already been updated, and the company urges users of self-managed instances to apply fixes immediately to prevent exploitation. Vulnerability details will be disclosed 30 days post-patch.