—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE) 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: MEDIUM

Software Affected

GitLab CE/EE versions from 15.0 before 18.0.5, 18.1 before 18.1.3 and 18.2 before 18.2.1

Overview

Multiple vulnerabilities have been reported in GitLab which could allow an attacker to bypass security restrictions, obtain sensitive information and perform cross site scripting attacks on the targeted system.

Target Audience:

All organizations and individuals using GitLab.

Risk Assessment:

High Risk of unauthorized access to data and system instability.

Impact Assessment:

Potential for data theft, sensitive information disclosure and complete compromise of system.

Description

GitLab CE is a free, open-source DevOps platform with basic features. GitLab EE is a paid version with advanced tools for security, compliance, and enterprise use.

These vulnerabilities exist in Gitlab due to lack of proper authorization, inadequate access control and improper sanitization of user supplied input.

Successful Exploitation of these vulnerabilities could allow an attacker to bypass security restrictions, obtain sensitive information and perform cross site scripting attack on the targeted system.

Solution

Apply appropriate update as mentioned in GitLab security release:

https://about.gitlab.com/releases/2025/07/23/patch-release-gitlab-18-2-1-released/

Vendor Information

Gitlab

https://about.gitlab.com/releases/

References

Gitlab

https://about.gitlab.com/releases/2025/07/23/patch-release-gitlab-18-2-1-released/

CVE Name

CVE-2025-4700

CVE-2025-4439

CVE-2025-7001

CVE-2025-4976

CVE-2025-0765

CVE-2025-1299

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmikdvMACgkQ3jCgcSdc

ys/qMQ//ZkVY9q/e9wpOhEvWo1uXseWFSD7WCzg3AXLwrJyd/YQqId9YORszLHXi

sededB9muuc1PXZ4bRwrjhr8J0yiv+xaEPW1/6iScSrVzFV+va3SwB0PfPFko/0N

vxGa5yvUnqksjwenCQIPRI4B1wpctuigVHQd/nZLi9nUKyY4ukTV7TqzeI5skqK7

+tlvhMMlNjbpPvPxTaG7LwU5XJfeU6YoSXODbA72hDj6ETfPZZLUWs7g1gX9JMPv

6Yv4+TNArS3czUC2v3+gezm05STNrPPmb8/4ftcmyxXlz/W2Y3M00zFYHm1vHa5P

PFfXvloMXsclj2CKyMn/EpP8+uZuAi0m6jyHsI5MSPEWAHQeTV6tHm1cpC+ObVV0

hNsEgyyaOmfVKb+5nBZuBSil/nZ0LwqyDisZBZb8Ei69Dl20UQK25rkZ2Ri1mwlU

k0QdRmTNfEYo6LhMtrmpES5yGTg1dxmEQQ8UMHjtj1IMozOqwU1P/GTs9/Th4cv5

MkiURijkZOLW0fEpllwcvKVat7W3iq2v0qF9g+OItohkm8D4tQR5C7GhZRP4YGim

qDWpNyvMDwcjqj+PDhLqRiFk7hItVmxxlvLIsB1BTfmIf837mBi1scoW9y8UXcsy

9UobKpAL+wsW1Jq139Di7dYm+HrvaQhEgDFrgWMbE+gUKvPHTpQ=

=r9s8

—–END PGP SIGNATURE—–