—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in Gitlab 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Gitlab versions prior to 18.6.1, 18.5.3 and 18.4.5 for GitLab Community Edition (CE) and Enterprise Edition (EE)

Overview

Multiple vulnerabilities have been reported in GitLab that could be exploited by an attacker to bypass security restrictions, cause denial of service conditions and information disclosure on the targeted system.

Target Audience:

All organisations and individuals using Gitlab.

Risk Assessment:

Risk of unauthorized access to sensitive data and system instability.

Impact Assessment:

Potential Exposure for data theft and sensitive information disclosure.

Description

GitLab is a web-based DevOps platform that provides tools for software development, including source code management, continuous integration and continuous deployment. It is available in both open-source Community Edition (CE) and Enterprise Edition (EE) versions.

Multiple vulnerabilities exist in GitLab Community Edition (CE) and Enterprise Edition (EE), due to Race condition in CI/CD cache, improper authorization issue in account registration and markdown rendering, Information disclosure issue in terraform registry, and Denial of Service issue in HTTP response processing and JSON input validation middleware. An attacker could exploit these vulnerabilities by sending specially crafted payloads.

Successful exploitation of these vulnerabilities could allow an attacker to bypass security restrictions, cause denial of service conditions and information disclosure on the targeted system.

Solution

Apply appropriate fixes as mentioned in the Gitlab Security Advisory:

https://about.gitlab.com/releases/2025/11/26/patch-release-gitlab-18-6-1-released/

Vendor Information

Gitlab

https://about.gitlab.com/releases/2025/11/26/patch-release-gitlab-18-6-1-released/

References

 

https://about.gitlab.com/releases/2025/11/26/patch-release-gitlab-18-6-1-released/

CVE Name

CVE-2024-9183

CVE-2025-12571

CVE-2025-12653

CVE-2025-7449

CVE-2025-6195

CVE-2025-13611

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmkxjPwACgkQ3jCgcSdc

ys/m7w//Sj19wzSxq6d6bMdHfushLu6IBVuyvCX/cOgMz4MWtqNllPUzoI3cGK+p

JFBliqZz1ELAh8zVZof1bOv+pzVs9BhqAG920yK4aiAOETJFTzwiu88jopwjxHd1

OaO3gjWDD8Bs0VzUJr2qM955cWbrNx3lK21bsEtwrxpPwr8YfTWggqyhapy3mB2E

1P23Tsvxlkdk0sJSzuTZT5S5xUAvaFLRRiCQn8lF2IqHVzBeT11hqCEWY928Dc2b

B4pGZrJGQ9C9CfGNkcs1wf6vntlXcL7NNg1YHEXfpW5mXwQ96JSBqOJqwixjUJlc

goycewVmAIg4we6gt4L3ma2e8hK2MdFzCcJ8jYWMxwK+kCuI3qXRl1uED/aRolru

BAfOV7D1GgqPmrQCksUJSX/TpOy5fn9yTeSmGCLzgno7de0bJZ7g1J3N7FIZc9Ya

giVAW/2xA07U6VDzfKv9hxEJTQoeBKd/AD7u3hx3/9t3wkKxpROewpsgMI13YxpW

kJGAqBl3e9wA/e55+Gbks7/5W6TEjLJDOV6ni17F1FGSOnGqdasa2puwoED/uyqJ

fDSxYnZj73iFcgyvtBeVCxR0ECT9bwMbhRdiIfyNxpsyA1HAbQiU5iRnU/N98jkv

UW7msT19IXSi+1064kGSaq4YpztZKGdMZWN1lPFFa+6bSE5cgp8=

=hXen

—–END PGP SIGNATURE—–