SB2025111310 - Multiple vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE)
Published: November 13, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Stored cross-site scripting (CVE-ID: CVE-2025-11224)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in k8s proxy. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Incorrect authorization (CVE-ID: CVE-2025-11865)
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to incorrect authorization in workflows. A remote user can remove Duo flows of another user.
3) Information disclosure (CVE-ID: CVE-2025-6171)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application in packages API endpoint. A remote user can access the packages API endpoint even when repository access is disabled and view branch names and pipeline details.
4) Information disclosure (CVE-ID: CVE-2025-2615)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application in GraphQL subscriptions. A remote blocked user can establish GraphQL subscriptions through WebSocket connections and gain access sensitive information.
5) Information disclosure (CVE-ID: CVE-2025-7000)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application within access control. A remote user can access project issues with related merge requests and view confidential branch names.
6) Improper Validation of Generative AI Output (CVE-ID: CVE-2025-6945)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the prompt injection issue in GitLab Duo review. A remote user can inject hidden prompts in merge request comments and leak sensitive information from confidential issues.
7) Path traversal (CVE-ID: CVE-2025-11990)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in branch names. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
8) Improper access control (CVE-ID: CVE-2025-7736)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in GitLab Pages. A remote user can bypass implemented security restrictions and view GitLab Pages content intended only for project members.
9) Input validation error (CVE-ID: CVE-2025-12983)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in markdown. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.