GitLab Patches Critical Security Vulnerabilities Enabling Data Theft and Access Control Bypass

• Facebook
• Twitter

GitLab Patches Critical Security Vulnerabilities Enabling Data Theft and Access Control Bypass

• Why Enterprise RAID Rebuilding Succeeds Where Consumer Arrays Fail?
• Linus Torvalds Rejects MMC Subsystem Updates for Linux 7.0: “Complete Garbage”
• The Man Who Maintained Sudo for 30 Years Now Struggles to Fund the Work That Powers Millions of Servers
• How Close Are Quantum Computers to Breaking RSA-2048?
• Why Windows 10 Users Are Flocking to Zorin OS 18 Instead of Linux Mint?
• How to Prevent Ransomware Infection Risks?
• What is the best alternative to Microsoft Office?

GitLab Patches Critical Security Vulnerabilities Enabling Data Theft and Access Control Bypass

GitLab has issued emergency security updates to address multiple vulnerabilities affecting both its Community and Enterprise editions.

The company released versions 18.5.2, 18.4.4, and 18.3.6 to resolve critical security flaws that could allow attackers to steal sensitive information and circumvent access controls.

How Did Tesla and Major Companies Fall Victim to Cryptojacking?

Critical AI Prompt Injection Vulnerability

The most severe vulnerability involves a prompt injection attack in GitLab Duo’s code review feature. Attackers can embed hidden malicious instructions directly within merge request comments, manipulating the AI system into leaking sensitive information from confidential issues. This flaw affects GitLab Enterprise Edition version 17.9 and later, potentially exposing unauthorized users to project secrets and confidential data.

The vulnerability highlights growing security concerns around AI-integrated development tools, where natural language interfaces can be exploited to bypass traditional security boundaries.

How Do I Know If My Router Has Been Hacked?

Comprehensive List of Patched Vulnerabilities

Beyond the prompt injection issue, GitLab has addressed nine additional vulnerabilities with varying severity levels:

High Severity:

• CVE-2025-11224 (CVSS 7.7): Cross-site scripting (XSS) vulnerability in the Kubernetes agent affecting authenticated users in versions 15.10 and later, enabling execution of malicious scripts

Medium Severity:

• CVE-2025-11865 (CVSS 6.5): Improper authorization in workflows allowing users to delete other users’ AI processes, compromising workflow integrity
• CVE-2025-2615 (CVSS 4.3): Information disclosure through GraphQL subscriptions, enabling blocked users to maintain unauthorized data access
• CVE-2025-7000 (CVSS 4.3): Access control flaw permitting unauthorized viewing of branch names

Low Severity:

• CVE-2025-6945 (CVSS 3.5): Additional prompt injection issue in GitLab Duo review
• CVE-2025-6171 (CVSS 3.1): Information disclosure via package API endpoints when repository access is disabled
• CVE-2025-11990 (CVSS 3.1): Client-side path traversal vulnerability in branch names
• CVE-2025-7736 (CVSS 3.1): Improper access controls in GitLab Pages allowing OAuth authentication bypass
• CVE-2025-12983 (CVSS 3.1): Denial of service vulnerability through specially crafted Markdown content

Which Honeypot Is Best for Enterprise Security Teams?

Attack Vectors and Impact

These vulnerabilities create multiple pathways for attackers to compromise GitLab instances:

1. Data Exfiltration: Attackers can leverage AI manipulation, GraphQL subscriptions, and API endpoints to extract sensitive project information
2. Access Control Bypass: Multiple flaws enable unauthorized users to view restricted content or circumvent authentication mechanisms
3. Service Disruption: The Markdown-based denial of service vulnerability could be exploited to disrupt development workflows
4. Workflow Sabotage: Authorization flaws allow malicious users to interfere with other users’ AI-assisted processes

How to Prevent Ransomware Infection Risks

Immediate Action Required

GitLab strongly recommends immediate upgrading to patched versions. The company has already updated GitLab.com, and GitLab Dedicated customers require no action. However, self-hosted instances must prioritize updates, as these vulnerabilities directly threaten customer data security.

Important Upgrade Considerations:

• Single-node instances will experience downtime during updates
• Multi-node installations can achieve zero-downtime upgrades with proper procedures
• Patches include database migrations that may affect the upgrade process

How Do Hackers Gain Administrator Access in Under an Hour?

Responsible Disclosure and Transparency

Most vulnerabilities were discovered through GitLab’s HackerOne bug bounty program, demonstrating the effectiveness of collaborative security research.

GitLab has committed to publishing full security details in its public issue tracker 30 days after patch release, balancing transparency with user protection.

Why VPN Security Should Be Every Enterprise’s Top Priority

Recommendations

All organizations using GitLab should:

1. Immediately verify their current GitLab version
2. Deploy patches as soon as possible, prioritizing high-severity vulnerabilities
3. Review access logs for signs of exploitation, particularly around merge requests and AI feature usage
4. Audit workflows for unauthorized modifications or deletions
5. Monitor GitLab’s security advisories for additional information when published

As development platforms increasingly integrate AI capabilities, this incident underscores the importance of rigorous security testing and prompt patching.

Organizations relying on GitLab for critical development workflows should treat these updates as urgent to protect against evolving security threats.

GitLab Patches Critical Security Vulnerabilities Enabling Data Theft and Access Control Bypass

Windows Software Alternatives in Linux

Disclaimer of pbxscience.com