HTML Injection Vulnerability in GitLab Community and Enterprise Editions
CVE-2025-8405

7.7HIGH

Key Information:

Vendor

Gitlab
Status
Gitlab
Vendor
CVE Published:
11 December 2025

What is CVE-2025-8405?

GitLab has identified a security vulnerability in its Community and Enterprise Editions that permits authenticated users to exploit the system by injecting malicious HTML into certain displays linked to vulnerability code flow. This flaw could enable them to execute unauthorized actions on behalf of other users, undermining user permissions and potentially compromising sensitive data. Versions affected include all iterations from 17.1 preceding 18.4.6, 18.5 preceding 18.5.4, and 18.6 preceding 18.6.2. Users are strongly advised to update their instances to the latest patched version to mitigate this risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

GitLab 17.1 < 18.4.6

GitLab 18.5 < 18.5.4

GitLab 18.6 < 18.6.2

References

https://gitlab.com/gitlab-org/gitlab/-/issues/558214
issue-trackingpermissions-required
https://hackerone.com/reports/3270940
technical-descriptionexploitpermissions-required
https://about.gitlab.com/releases/2025/12/10/patch-releas...

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Thanks [yvvdwf](https://hackerone.com/yvvdwf) for reporting this vulnerability through our HackerOne bug bounty program
JSON
.