CVE-2025-9222
📋 TL;DR
This vulnerability allows an authenticated user to inject malicious scripts into GitLab's Markdown rendering, which then executes in other users' browsers when they view the content. It affects all GitLab Community Edition and Enterprise Edition installations running vulnerable versions. Attackers could steal session cookies, redirect users, or perform actions on their behalf.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
An attacker could steal administrator session tokens, take over accounts, exfiltrate sensitive data, or deploy ransomware across the GitLab instance.
Likely Case
Attackers inject malicious JavaScript into issues, merge requests, or comments to steal session cookies from other users, leading to account compromise.
If Mitigated
With proper CSP headers and other web security controls, script execution might be blocked, limiting impact to UI manipulation or data leakage.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an account is obtained. Markdown injection is a well-known attack vector.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.5.5, 18.6.3, or 18.7.1
Vendor Advisory: https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab 18.5.5, 18.6.3, or 18.7.1 using your package manager. 3. Run 'sudo gitlab-ctl reconfigure'. 4. Run 'sudo gitlab-ctl restart'.
🔧 Temporary Workarounds
Disable Markdown rendering for untrusted users
allRestrict Markdown editing permissions to trusted users only through project settings.
Implement Content Security Policy
linuxAdd CSP headers to block inline script execution in GitLab responses.
Add to nginx config: add_header Content-Security-Policy "script-src 'self';" always;
🧯 If You Can't Patch
- Restrict user registration and require manual approval for new accounts.
- Monitor GitLab logs for unusual Markdown patterns and implement WAF rules to block script tags in user content.
🔍 How to Verify
Check if Vulnerable:
Check your GitLab version: if it's between 18.2.2-18.5.4, 18.6.0-18.6.2, or exactly 18.7.0, you are vulnerable.Check Version:
sudo gitlab-rake gitlab:env:info | grep 'Version:'Verify Fix Applied:
After patching, verify version is 18.5.5, 18.6.3, or 18.7.1 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual Markdown content in GitLab logs containing script tags or JavaScript
- Multiple failed login attempts followed by successful login and Markdown posting
Network Indicators:
- Outbound connections to unknown domains from GitLab server after Markdown rendering
- Unexpected JavaScript execution in browser dev tools
SIEM Query:
source="gitlab" AND ("script" OR "javascript" OR "onclick") IN message