GitLab has announced critical security updates to its DevSecOps platform, addressing multiple high-severity vulnerabilities that could enable attackers to take over accounts and inject malicious jobs into future pipelines. The company has released versions 18.0.2, 17.11.4, and 17.10.8, urging all administrators to upgrade immediately.
In a statement, GitLab emphasized the urgency of this update, stating, “These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately.” It also clarified that GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take additional action.
One of the significant vulnerabilities addressed includes CVE-2025-4278, an HTML injection issue that could allow remote attackers to seize control of accounts by injecting malicious code into the search page of GitLab. Furthermore, CVE-2025-5121 relates to a missing authorization issue affecting GitLab Ultimate EE, which could grant attackers the ability to inject harmful CI/CD jobs into any project’s pipelines. Successful exploitation of this flaw requires authenticated access to GitLab instances with a GitLab Ultimate license.
Additionally, GitLab patched a cross-site scripting vulnerability (CVE-2025-2254) that could enable an attacker to operate within the context of a legitimate user and a denial of service flaw (CVE-2025-0673) that could cause infinite redirect loops, leading to memory exhaustion and blocking access for legitimate users. Recent breaches reported by companies like Europcar Mobility Group and Pearson underscore the growing threat to GitLab repositories, which often store sensitive information.
GitLab’s platform is extensively used, boasting over 30 million registered users, with more than half of Fortune 100 companies among its clientele, including major firms such as Goldman Sachs, Airbus, T-Mobile, Lockheed Martin, Nvidia, and UBS. As cyber threats evolve, experts emphasize the need for organizations to adopt comprehensive security measures to safeguard their data.