Source: BleepingComputer
Author: Sergiu Gatlan
URL: https://www.bleepingcomputer.com/news/security/gitlab-patches-high-severity-account-takeover-missing-auth-issues/
-
ONE SENTENCE SUMMARY: GitLab urgently released patches for critical vulnerabilities allowing account takeover, malicious CI/CD job injections, and denial-of-service attacks.
-
MAIN POINTS:
-
GitLab issued security updates for Community and Enterprise editions 18.0.2, 17.11.4, and 17.10.8.
-
CVE-2025-4278 vulnerability allows attackers to hijack accounts through HTML injection.
-
CVE-2025-5121 flaw permits malicious CI/CD job injection into future project pipelines.
-
CVE-2025-2254 addresses a cross-site scripting vulnerability affecting legitimate user sessions.
-
CVE-2025-0673 fixes a denial-of-service issue involving infinite redirect loops and memory exhaustion.
-
GitLab.com and Dedicated customers already have the security patches applied.
-
GitLab strongly urges immediate upgrades for all self-managed installations.
-
Attackers exploiting CVE-2025-5121 require authenticated access to GitLab Ultimate licensed instances.
-
Recent breaches affected Europcar Mobility Group and Pearson through compromised GitLab repositories.
-
GitLab platform serves over 30 million users, including half of Fortune 100 companies.
-
TAKEAWAYS:
-
Immediately upgrade self-managed GitLab instances to patched versions.
-
Ensure strict authentication and access controls, especially for GitLab Ultimate environments.
-
Recognize the high-value target GitLab represents due to sensitive information in repositories.
-
Regularly monitor GitLab security advisories to respond swiftly to emerging threats.
-
Automate patching processes to streamline security updates and reduce administrative overhead.