CVE-2025-11224
📋 TL;DR
This vulnerability allows authenticated users to execute stored cross-site scripting (XSS) attacks through improper input validation in GitLab's Kubernetes proxy functionality. It affects all GitLab CE/EE installations running vulnerable versions, potentially enabling attackers to steal session cookies, perform actions as victims, or deface pages. Any organization using affected GitLab versions with authenticated users is at risk.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
An attacker could steal administrator session cookies, gain full administrative access to the GitLab instance, exfiltrate source code, modify repositories, or deploy malicious code to connected Kubernetes clusters.
Likely Case
Attackers could steal user session tokens, perform actions as other users (like committing malicious code), or deface GitLab interface pages with malicious content.
If Mitigated
With proper input validation and output encoding, the attack would fail to execute malicious scripts, limiting impact to benign payload display.
🎯 Exploit Status
Exploitation requires authenticated access but leverages common XSS techniques. The HackerOne report suggests detailed exploitation methods exist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.3.6, 18.4.4, or 18.5.2
Vendor Advisory: https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to patched version using your package manager (apt/yum). 3. Run 'gitlab-ctl reconfigure'. 4. Restart GitLab services with 'gitlab-ctl restart'.
🔧 Temporary Workarounds
Disable Kubernetes proxy
linuxTemporarily disable the vulnerable Kubernetes proxy functionality if not required
gitlab-rails runner "ApplicationSetting.current.update!(kubernetes_proxy_enabled: false)"
Restrict user permissions
allImplement least privilege by restricting authenticated user access to Kubernetes proxy features
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to block inline script execution
- Enable web application firewall (WAF) rules to detect and block XSS payloads in Kubernetes proxy requests
🔍 How to Verify
Check if Vulnerable:
Check GitLab version with 'cat /opt/gitlab/version-manifest.txt' or via Admin Area > Overview in web interfaceCheck Version:
sudo gitlab-rake gitlab:env:info | grep 'Version:'Verify Fix Applied:
Confirm version is 18.3.6+, 18.4.4+, or 18.5.2+ and test Kubernetes proxy functionality with XSS payloads📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to Kubernetes proxy endpoints with script tags
- Error logs showing blocked XSS attempts in proxy functionality
Network Indicators:
- HTTP requests containing <script> tags to /api/v4/kubernetes/proxy/* endpoints
- Unexpected JavaScript execution in Kubernetes proxy responses
SIEM Query:
source="gitlab.log" AND ("kubernetes/proxy" AND ("<script" OR "javascript:" OR "onerror="))