GitLab

GitLab disclosed nine vulnerabilities across its Community (CE) and Enterprise (EE) editions, with **CVE-2025-6945** being the most critical—a **prompt-injection flaw in GitLab Duo’s AI-powered review feature** that allows authenticated attackers to exfiltrate sensitive data from **confidential issues** via hidden prompts in merge request comments. This exploit leverages AI’s lack of input validation, turning an AI assistant into a vector for data leakage. Additionally, **CVE-2025-11224** (a stored XSS vulnerability in the Kubernetes proxy) enables authenticated users to execute malicious scripts, while **CVE-2025-2615** and **CVE-2025-7000** expose confidential data through GraphQL subscriptions and branch name leaks, respectively. The flaws span versions back to **15.10**, creating a broad attack surface for organizations running unpatched instances. Though no evidence of active exploitation exists, the vulnerabilities risk **unauthorized access to proprietary code, internal discussions, and project metadata**, potentially aiding supply-chain attacks or competitive espionage. GitLab has released patches (versions **18.5.2, 18.4.4, 18.3.6**) and urged immediate upgrades for self-managed deployments.

Source: https://cyberpress.org/multiple-gitlab-vulnerabilities-allow-malicious-prompt-injection-and-data-theft/

GitLab cybersecurity rating report: https://www.rankiteo.com/company/gitlab-com

"id": "GIT5234552111325",
"linkid": "gitlab-com",
"type": "Vulnerability",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': ['Self-managed GitLab '
                                               'installations (versions prior '
                                               'to 18.5.2, 18.4.4, 18.3.6)',
                                               'Organizations using GitLab Duo',
                                               'Users of Kubernetes proxy '
                                               'functionality',
                                               'Enterprise Edition users with '
                                               'Duo workflows'],
                        'industry': 'Technology / DevOps',
                        'location': 'Global',
                        'name': 'GitLab Inc.',
                        'type': 'Software Company'}],
 'attack_vector': ['Prompt Injection (CVE-2025-6945)',
                   'Cross-Site Scripting (CVE-2025-11224)',
                   'Improper Authorization (CVE-2025-11865)',
                   'Information Disclosure (CVE-2025-2615, CVE-2025-7000, '
                   'CVE-2025-6171)',
                   'Improper Access Control (CVE-2025-7736)',
                   'Denial of Service (CVE-2025-12983)',
                   'Client-Side Path Traversal (CVE-2025-11990)'],
 'customer_advisories': ['GitLab.com users are already protected (no action '
                         'required)',
                         'Dedicated customers require no action',
                         'Self-managed customers must upgrade immediately'],
 'data_breach': {'data_exfiltration': ['Potential exfiltration via prompt '
                                       'injection (CVE-2025-6945)',
                                       'Unauthorized access to confidential '
                                       'data via multiple vectors'],
                 'sensitivity_of_data': 'High (includes confidential project '
                                        'information and access-controlled '
                                        'data)',
                 'type_of_data_compromised': ['Confidential issue details',
                                              'Confidential branch names',
                                              'Restricted branch names',
                                              'Sensitive information '
                                              'accessible via GraphQL '
                                              'subscriptions']},
 'description': 'GitLab has released critical security patches addressing nine '
                'vulnerabilities across Community Edition (CE) and Enterprise '
                'Edition (EE), including a particularly concerning '
                'prompt-injection flaw in GitLab Duo that could expose '
                'sensitive information from confidential issues. The company '
                'is urging all self-managed installations to upgrade '
                'immediately to versions 18.5.2, 18.4.4, or 18.3.6. The most '
                'alarming vulnerability is CVE-2025-6945, a prompt injection '
                'flaw in GitLab Duo’s review feature that allows authenticated '
                'users to leak sensitive information from confidential issues '
                'by injecting hidden prompts into merge request comments. This '
                'attack demonstrates how AI-powered features can become '
                'significant security risks when input validation fails. The '
                'patch batch also includes a high-severity cross-site '
                'scripting vulnerability (CVE-2025-11224) in the Kubernetes '
                'proxy functionality, which could allow authenticated users to '
                'execute stored XSS attacks due to improper input validation. '
                'Additional medium- and low-severity vulnerabilities were also '
                'patched, highlighting critical gaps in GitLab’s access '
                'control mechanisms.',
 'impact': {'brand_reputation_impact': ['Potential reputational damage due to '
                                        'AI-powered feature vulnerabilities',
                                        'Trust erosion in access control '
                                        'mechanisms'],
            'data_compromised': ['Sensitive information from confidential '
                                 'issues (CVE-2025-6945)',
                                 'Confidential branch names (CVE-2025-7000)',
                                 'Restricted branch names (CVE-2025-6171)',
                                 'Confidential information via GraphQL '
                                 '(CVE-2025-2615)'],
            'operational_impact': ['Potential unauthorized access to sensitive '
                                   'data',
                                   'Risk of stored XSS attacks in Kubernetes '
                                   'proxy',
                                   'Exposure of confidential issues via AI '
                                   'feature exploitation'],
            'systems_affected': ['GitLab Community Edition (CE)',
                                 'GitLab Enterprise Edition (EE)',
                                 'GitLab Duo (AI-powered review feature)',
                                 'Kubernetes proxy functionality',
                                 'GraphQL subscriptions',
                                 'Packages API',
                                 'GitLab Pages',
                                 'Markdown processing']},
 'investigation_status': 'Resolved (patches released)',
 'lessons_learned': ['AI-powered features (e.g., GitLab Duo) introduce new '
                     'attack surfaces requiring robust input validation.',
                     'Stored XSS vulnerabilities in proxy functionalities can '
                     'have broad impact across integrated systems (e.g., '
                     'Kubernetes).',
                     'Access control mechanisms require continuous review to '
                     'prevent authorization bypasses and information '
                     'disclosure.',
                     'Coordinated vulnerability disclosure programs (e.g., '
                     'HackerOne) are effective in identifying and mitigating '
                     'security flaws.',
                     'Prompt patching of third-party dependencies (e.g., '
                     'libxslt) is critical to comprehensive security.'],
 'post_incident_analysis': {'corrective_actions': ['Implemented stricter input '
                                                   'validation for AI feature '
                                                   'prompts.',
                                                   'Enhanced XSS protections '
                                                   'in proxy functionalities.',
                                                   'Strengthened authorization '
                                                   'and access control '
                                                   'policies.',
                                                   'Restricted GraphQL '
                                                   'subscription access for '
                                                   'blocked users.',
                                                   'Updated libxslt to version '
                                                   '1.1.43 to patch additional '
                                                   'vulnerabilities.',
                                                   'Released comprehensive '
                                                   'security patches for all '
                                                   'affected versions.'],
                            'root_causes': ['Insufficient input validation in '
                                            'GitLab Duo’s prompt handling '
                                            '(CVE-2025-6945).',
                                            'Improper sanitization in '
                                            'Kubernetes proxy leading to XSS '
                                            '(CVE-2025-11224).',
                                            'Flawed authorization checks in '
                                            'workflows and access control '
                                            'mechanisms (CVE-2025-11865, '
                                            'CVE-2025-7000, etc.).',
                                            'Inadequate restrictions on '
                                            'GraphQL subscriptions for blocked '
                                            'users (CVE-2025-2615).',
                                            'Outdated third-party library '
                                            '(libxslt) with known '
                                            'vulnerabilities.']},
 'recommendations': ['Immediately upgrade self-managed GitLab instances to '
                     'patched versions (18.5.2, 18.4.4, or 18.3.6).',
                     'Review and harden input validation for AI-powered '
                     'features to prevent prompt-injection attacks.',
                     'Audit Kubernetes proxy configurations to mitigate XSS '
                     'risks.',
                     'Enhance access control policies for GraphQL '
                     'subscriptions, branch names, and workflows.',
                     'Monitor for unauthorized access attempts targeting newly '
                     'patched vulnerabilities.',
                     'Participate in bug bounty programs to proactively '
                     'identify and address security flaws.',
                     'Regularly update all dependencies to their latest secure '
                     'versions.'],
 'references': [{'source': 'GitLab Security Release Blog'},
                {'source': 'HackerOne Vulnerability Reports'},
                {'source': 'CVE Database Entries (CVE-2025-6945, '
                           'CVE-2025-11224, etc.)'}],
 'response': {'communication_strategy': ['Public security advisory',
                                         'Urgent upgrade notification for '
                                         'self-managed customers',
                                         'Transparency about affected versions '
                                         'and vulnerabilities'],
              'containment_measures': ['Release of security patches (versions '
                                       '18.5.2, 18.4.4, 18.3.6)',
                                       'Immediate upgrade recommendation for '
                                       'self-managed installations'],
              'incident_response_plan_activated': True,
              'remediation_measures': ['Patching prompt-injection flaw in '
                                       'GitLab Duo',
                                       'Fixing XSS vulnerability in Kubernetes '
                                       'proxy',
                                       'Addressing authorization bypass in '
                                       'workflows',
                                       'Resolving information disclosure '
                                       'issues in GraphQL, access control, and '
                                       'packages API',
                                       'Updating libxslt to version 1.1.43'],
              'third_party_assistance': ['HackerOne bug bounty program '
                                         'researchers']},
 'stakeholder_advisories': ['Urgent upgrade notification for self-managed '
                            'customers',
                            'Security advisory detailing vulnerabilities and '
                            'mitigations'],
 'title': 'GitLab Critical Security Patches Addressing Multiple '
          'Vulnerabilities Including Prompt-Injection Flaw in GitLab Duo',
 'type': ['Vulnerability Disclosure', 'Patch Release'],
 'vulnerability_exploited': [{'cve_id': 'CVE-2025-6945',
                              'cvss_score': 3.5,
                              'description': 'Allows authenticated users to '
                                             'leak sensitive information from '
                                             'confidential issues by injecting '
                                             'hidden prompts into merge '
                                             'request comments.',
                              'severity': 'Low',
                              'title': 'Prompt injection in GitLab Duo review'},
                             {'cve_id': 'CVE-2025-11224',
                              'cvss_score': 7.7,
                              'description': 'Allows authenticated users to '
                                             'execute stored XSS attacks due '
                                             'to improper input validation in '
                                             'Kubernetes proxy functionality.',
                              'severity': 'High',
                              'title': 'Cross-site scripting in k8s proxy'},
                             {'cve_id': 'CVE-2025-11865',
                              'cvss_score': 6.5,
                              'description': 'Allows users to remove another '
                                             'user’s Duo workflows (Enterprise '
                                             'Edition).',
                              'severity': 'Medium',
                              'title': 'Incorrect authorization in workflows'},
                             {'cve_id': 'CVE-2025-2615',
                              'cvss_score': 4.3,
                              'description': 'Allows blocked users to access '
                                             'confidential information through '
                                             'GraphQL WebSocket subscriptions.',
                              'severity': 'Medium',
                              'title': 'Information disclosure in GraphQL '
                                       'subscriptions'},
                             {'cve_id': 'CVE-2025-7000',
                              'cvss_score': 4.3,
                              'description': 'Permits unauthorized users to '
                                             'view confidential branch names '
                                             'by accessing project issues with '
                                             'related merge requests.',
                              'severity': 'Medium',
                              'title': 'Information disclosure in access '
                                       'control'},
                             {'cve_id': 'CVE-2025-6171',
                              'cvss_score': 3.1,
                              'description': 'Enables authenticated reporters '
                                             'to view restricted branch names '
                                             'through the packages API.',
                              'severity': 'Low',
                              'title': 'Information disclosure in packages '
                                       'API'},
                             {'cve_id': 'CVE-2025-11990',
                              'cvss_score': 3.1,
                              'severity': 'Low',
                              'title': 'Client-side path traversal in branch '
                                       'names'},
                             {'cve_id': 'CVE-2025-7736',
                              'cvss_score': 3.1,
                              'description': 'Allows access to GitLab Pages '
                                             'content through OAuth provider '
                                             'authentication.',
                              'severity': 'Low',
                              'title': 'Improper access control in GitLab '
                                       'Pages'},
                             {'cve_id': 'CVE-2025-12983',
                              'cvss_score': 3.1,
                              'severity': 'Low',
                              'title': 'Denial of service in markdown'}]}

GitLab

The Apache Software Foundation: Critical Apache bRPC Framework Vulnerability Let Attackers Crash the Server

Truffle Security Co.: Public GitLab repositories exposed more than 17,000 secrets

OpenJS Foundation: Critical Vulnerability in JavaScript Cryptography Library Poses Security Risk