XSS Vulnerability in GitLab by GitLab Inc.
CVE-2025-0376

8.7HIGH

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 12 February 2025

Badges

👾 Exploit Exists🟡 Public PoC

Summary

An XSS vulnerability has been identified in multiple versions of GitLab CE/EE, impacting versions from 13.3 up to 17.6.5, 17.7 up to 17.7.4, and 17.8 up to 17.8.2. This vulnerability allows attackers to execute unauthorized actions through a flawed change page mechanism, potentially compromising sensitive information and altering user permissions. Ensuring proper updates and security measures is essential for users to safeguard their projects.

Affected Version(s)

GitLab 13.3 < 17.6.5

GitLab 17.7 < 17.7.4

GitLab 17.8 < 17.8.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-0376 - Proof of Concept

References

https://gitlab.com/gitlab-org/gitlab/-/issues/512603

issue-trackingpermissions-required

https://hackerone.com/reports/2930243

technical-descriptionexploitpermissions-required

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

🟡
Public PoC available
Feb 12, 2025
👾
Exploit known to exist
Feb 12, 2025
Vulnerability published
Feb 12, 2025
Vulnerability Reserved
Jan 10, 2025

Credit

Thanks [yvvdwf](https://hackerone.com/yvvdwf) for reporting this vulnerability through our HackerOne bug bounty program