Gitlab has issued security updates to address several weaknesses in the company’s devsecops platform, with the attackers able to handle accounts and inject malicious jobs in future pipelines.
The company issued the Gitlab community and enterprise version 18.0.2, 17.11.4 and 17.10.8 to address these security flaws and urged to upgrade from all appreciation.
“These versions have significant bugs and safety improvements, and we strongly recommend that all self-managed Gitlab installations be immediately upgraded to one of these versions,” the company Wags“Gitlab.com is already running the version already patching. Gitlab dedicated customers do not need to take action.”
On Wednesday, Gitlab tracks an HTML injection issue Cve-2025-4278 This can allow remote attackers to handle accounts by injecting malicious codes in the search page.
It also issued a patch for a missing authority issue (Cve-2025-5121) This affects Gitlab ultimat ee and allows distant danger actors to inject malicious CI/CD jobs in the future CI/CD pipelines of any project.
The Gitlab pipeline is a continuous integration/continuous perineeration (CI/CD) system feature that allows users to create code changes, test or deploy or automatically run processes and functions in parallel.
However, the attackers for successful exploitation requires certified access to gitlab examples with Gitlab final license.
The company also packed a cross-site scripting vulnerability (Cve-2025-2254) Successful attackers can act in terms of a legitimate user and refuse service (DOS) defects (DOS)Cve-2025-0673)) Who can allow malicious actors to trigger infinite redirect loops, leading to tiredness and refusing access to legitimate users.
Gitlab repository is often targeted in attacks because sensitive information and data are included, as reported by recent violations by the multinational car-recipes European Mobility Group and Education Giant Piercene, with their Gitlab repo compromised since the beginning of the year.
Gitlab’s devsecops platforms have more than 30 million registered users and are used by more than 50% of Fortune 100 companies, including Goldman Sachs, Airbus, T-Mobile, Lockheed Martin, NVDia and UBS.
Patching meant complex scripts, long and endless fire drills. No more.
In this new guide, the tines break down how it is leveling with modern organ automation. Patch fast, reduce overhead, and focus on strategic tasks – no complex script is required.
