CVE-2025-0376
📋 TL;DR
A cross-site scripting (XSS) vulnerability in GitLab CE/EE allows attackers to inject malicious scripts into change pages. When exploited, this enables unauthorized actions by tricking authenticated users into executing attacker-controlled JavaScript. All GitLab instances running affected versions are vulnerable.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users (including administrators), exfiltrate sensitive data, or redirect users to malicious sites.
Likely Case
Attackers craft malicious change pages that execute JavaScript in victims' browsers, potentially stealing session tokens or performing unauthorized GitLab actions.
If Mitigated
With proper Content Security Policy (CSP) headers and input validation, impact is limited to the specific vulnerable component only.
🎯 Exploit Status
Exploitation requires attacker to create or modify change pages and trick authenticated users into viewing them. No authentication bypass is required for the XSS payload execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 17.6.5, 17.7.4, 17.8.2
Vendor Advisory: https://gitlab.com/gitlab-org/gitlab/-/issues/512603
Restart Required: No
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab 17.6.5, 17.7.4, or 17.8.2 depending on your current version. 3. For self-managed installations, use the official upgrade documentation. 4. For GitLab.com, patches are automatically applied.
🔧 Temporary Workarounds
Restrict User Access to Change Pages
allLimit which users can create or modify change pages to reduce attack surface.
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources and mitigate XSS impact.
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block XSS payloads in change page requests.
- Monitor for suspicious activity in GitLab audit logs and implement user behavior analytics.
🔍 How to Verify
Check if Vulnerable:
Check GitLab version via Admin Area → Overview → Version or run 'sudo gitlab-rake gitlab:env:info' on self-managed instances.Check Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Verify Fix Applied:
Confirm version is 17.6.5, 17.7.4, or 17.8.2 or higher. Test change page functionality for script injection attempts.📡 Detection & Monitoring
Log Indicators:
- Unusual change page creation/modification patterns
- JavaScript payloads in change page content in application logs
Network Indicators:
- HTTP requests containing script tags or JavaScript in change page parameters
SIEM Query:
source="gitlab" AND ("change page" OR "update page") AND ("script" OR "javascript" OR "onclick" OR "onload")