—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in Gitlab 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Gitlab versions prior to 18.6.2, 18.5.4 and 18.4.6 for GitLab Community Edition (CE) and Enterprise Edition (EE)

Overview

Multiple vulnerabilities have been reported in GitLab that could be exploited by an attacker to disclose sensitive information, bypass authentication, perform Cross Site scripting (XSS) and cause denial of service (DoS) condition on the targeted system.

Target Audience:

All organizations and individuals using Gitlab.

Risk Assessment:

Risk of unauthorized access, sensitive information disclosure or service unavailability.

Impact Assessment:

Potential for data exposure, account compromise or service disruption.

Description

GitLab is a web-based DevOps platform that provides tools for software development, including source code management, continuous integration and continuous deployment. It is available in both open-source Community Edition (CE) and Enterprise Edition (EE) versions.

Multiple vulnerabilities exist in the GitLab due to improper input validation; flaw in GraphQL endpoints, Commit API, ExifTool processing, compliance frameworks, error messages; authentication bypass issue for WebAuthn users; HTML injection issue in merge request titles and improper encoding. An attacker could exploit these vulnerabilities by injecting/executing specially crafted request.

Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, bypass authentication, perform Cross Site scripting (XSS) and cause denial of service (DoS) condition on the targeted system.

Solution

Apply appropriate updates as mentioned:

https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/

Vendor Information

Gitlab

https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/

References

 

https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/

CVE Name

CVE-2025-12716

CVE-2025-8405

CVE-2025-12029

CVE-2025-12562

CVE-2025-11984

CVE-2025-4097

CVE-2025-14157

CVE-2025-11247

CVE-2025-13978

CVE-2025-12734

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmlCwN8ACgkQ3jCgcSdc

ys9UNA//ex8mTinLXGq4o3rairsJQfE7hsl8FLvlMxD4xBV1rI2EgxPrr7aHBX50

5hVb5jRF6n1OoKPsfF2WbI7a/xZQuhq0DbUmzF8oVAfH/VF2dmQ4YEySJXzcPUVk

eKIUXi3lQ7zd0hvj2Tb6DcsS8fbeG5tcU8X/qvnWfE6q7tc8Ia8Irod4jt/Wbv4d

Qft4zp1jiZcT4k7sVGsQU7GWR/2H1v3MqygjrQSAR3GRav6BSHZXhoE3+zs9L9Cd

UeIC+46OxJL+tOYG//284hPAE7esrYkLliJZb/jwZ6MzkOxXvcUQOOmR9+urcv/P

tkJ8fuX3NFek/PvuJ/zGftW0q2IeXKCjo7dVtcJaQXLU7kCKb/IdP7qkir+PbSfF

OKyBrsh0L1/xbG0TGEmCluVK4CmeR0sZC78/rDa4Y1ccKDMurII9g5TbBFVtwlkV

ivotTRBCpMoWjviYJAoP+p3BzRrvqJPRDVENw2DZJjIrn2mVPjttr/i4FH1VA+fb

ucTNZgTg+g8vKoBh3zpA55vI6okIqKP9DLS5MYEnnVJE9dXkBWeYPBrt32sCcbiK

x5E6FSmO2JoHTYRj4+Ta4MDwvQwouTXaHOM9xPnyUQvE+Sk3u5CysOfThEU0Z3Mf

UoY7XoQAmrJicb/Fl00mbrjcLrS/3LVpAPdQSyQRRh7JyPiij8M=

=VaRa

—–END PGP SIGNATURE—–