GitLab has released versions 17.9.2, 17.8.5, and 17.7.7 for Community Edition (CE) and Enterprise Edition (EE) to fix multiple security vulnerabilities, including a critical authentication bypass in the ruby-saml library (CVE-2025-25291, CVE-2025-25292). The issue allows attackers to authenticate as another user by exploiting SAML single sign-on (SSO) authentication flaws caused by ReXML and Nokogiri XML parsing, enabling Signature Wrapping attacks.

GitLab has provided mitigation steps for users unable to update, including enabling two-factor authentication (2FA), disabling SAML two-factor bypass, and requiring admin approval for new users. Additional fixes include remote code execution (CVE-2025-27407), denial of service (DoS) vulnerabilities (CVE-2024-13054, CVE-2025-1257), credentials disclosure (CVE-2024-12380), internal notes exposure (CVE-2025-0652), shell code injection (CVE-2024-8402), and user invitation approval bypass (CVE-2024-7296). GitLab urges users to update immediately or apply mitigations if updates are not possible.

‍