GitLab has released critical security updates for its Community Edition (CE) and Enterprise Edition (EE), urging all self-managed installations to upgrade to versions 17.8.1, 17.7.3, and 17.6.4 immediately.

The most severe vulnerability, CVE-2025-0314 (CVSS 8.7), is a stored cross-site scripting (XSS) flaw that allows attackers to inject malicious scripts via improper file rendering, potentially leading to session hijacking and data theft. The flaw was responsibly disclosed through GitLab’s HackerOne bug bounty program.

Other issues include CVE-2024-11931 (CVSS 6.4), a CI/CD variable exfiltration vulnerability via the CI lint feature, and CVE-2024-6324 (CVSS 4.3), a denial-of-service (DoS) vulnerability caused by cyclic references in epics, leading to resource exhaustion. Users are strongly advised to apply the patches to mitigate security risks.

‍