Both vulnerabilities were discovered by security researcher joaxcar through the HackerOne platform, highlighting the effectiveness of GitLab’s bug bounty program in identifying critical security flaws. These vulnerabilities collectively demonstrate the comprehensive security review undertaken by GitLab’s security team, with researchers iamgk808, rogerace, and pwnie contributing to the discovery process through responsible disclosure. Security vulnerability details will be publicly disclosed on GitLab’s issue tracker 30 days post-release, maintaining transparency while allowing adequate time for system administrators to implement necessary patches. These patches represent a coordinated response to vulnerabilities discovered through GitLab’s HackerOne bug bounty program, with immediate action strongly recommended for all self-managed installations. GitLab strongly recommends immediate upgrading to the latest patch versions, emphasizing that GitLab.com is already running the patched versions, while GitLab Dedicated customers require no action. GitLab fixed 6 vulnerabilities including 2 high-severity XSS flaws in latest versions. CVE-2025-4700, rated with a CVSS score of 8.7, affects the Kubernetes proxy feature and could potentially allow authenticated attackers to trigger unintended content rendering, leading to XSS under specific circumstances. The remaining vulnerabilities, CVE-2025-0765 and CVE-2025-1299, address unauthorized access to custom service desk email addresses and deployment job logs, respectively.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 24 Jul 2025 10:20:15 +0000