GitLab Patches Multiple Vulnerabilities that Enables Arbitrary Code Execution
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
GitLab has released emergency security patches for multiple versions of its platform, addressing eight vulnerabilities that could enable arbitrary code execution and unauthorized access<\/a> in self-managed installations.<\/p>\n The updated versions 18.7.1, 18.6.3, and 18.5.5 were deployed to GitLab.com on January 7, 2026, with self-hosted customers strongly advised to upgrade immediately.<\/p>\n The most severe vulnerability, CVE-2025-9222, affects GitLab Community and Enterprise Editions and has a CVSS score of 8.7.<\/p>\n This stored cross-site scripting<\/a> (XSS) flaw in GitLab Flavored Markdown placeholders could allow authenticated attackers to execute malicious code within victims\u2019 browsers.<\/p>\n Impacted versions span from 18.2.2 through 18.7.0, affecting a broad range of deployments. A second high-severity issue, CVE-2025-13761, affects the Web IDE component and carries a CVSS score of 8.0.<\/p>\n This flaw allows attackers to execute\u00a0malicious code<\/a>\u00a0by luring logged-in users to malicious<\/span> web pages, which can hijack sessions and lead to unauthorized access to repositories.<\/p>\n Enterprise Edition customers face additional risks from CVE-2025-13772, a missing authorization bug in the Duo Workflows API that allows authenticated users to access\u00a0AI<\/a><\/span> model<\/a> settings from unauthorized namespaces.<\/p>\n Discovered internally by GitLab engineer Jessie Young, this flaw carries a CVSS score of 7.1.<\/p>\n The security update also addresses medium-severity issues, including denial-of-service<\/a> vulnerabilities in import functionality (CVE-2025-10569).<\/p>\n Insufficient access controls in GraphQL mutations that could allow unauthorized runner modifications (CVE-2025-11246).<\/p>\n A low-severity information disclosure bug in Mermaid diagram rendering (CVE-2025-3950) completes the patch set.<\/p>\n GitLab\u2019s security team emphasizes that all deployment types, Omnibus packages, source code installations, and Helm charts require immediate updating.<\/p>\n Single-node instances will experience downtime during upgrades due to mandatory database migrations. At the same time, multi-node deployments can achieve zero-downtime<\/a> updates following proper procedures.<\/p>\n The vulnerabilities were reported via GitLab\u2019s HackerOne\u00a0bug bounty\u00a0program<\/a>, with researcher yvvdwf credited with<\/span> discovering the critical XSS flaw.<\/p>\n GitLab maintains a 30-day disclosure policy, under which detailed issue reports become public on its tracker after the patch release<\/a>.<\/p>\n Self-managed GitLab administrators should consult the official update documentation and subscribe to GitLab\u2019s security release RSS feed for future patch notifications.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post GitLab Patches Multiple Vulnerabilities that Enables Arbitrary Code Execution<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nAdditional Vulnerabilities and Impact<\/strong><\/h2>\n