GitLab has issued a security advisory warning of multiple high-risk vulnerabilities in its DevOps platform, including two critical Cross-Site Scripting (XSS) flaws enabling attackers to bypass security controls and execute malicious scripts in user browsers. GitLab has released patched versions 17.9.1, 17.8.4, and 17.7.6. Security analysts warn unpatched GitLab instances remain prime targets for APT groups, with XSS vulnerabilities increasingly weaponized in software supply chain attacks. This flaw enables attackers to bypass Content Security Policy (CSP) restrictions using specially crafted dependency metadata files containing JavaScript payloads. The vulnerabilities – tracked as CVE-2025-0475 (CVSS 8.7) and CVE-2025-0555 (CVSS 7.7) – affect self-managed instances across multiple versions, with exploit scenarios allowing session hijacking, credential theft, and unauthorized system access. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. GitLab’s bug bounty program credited researchers joaxcar, yuki_osaki, and weasterhacker for discovering these vulnerabilities, underscoring the platform’s reliance on community-driven security. The attack vector (AV:N/AC:L/PR:L) requires network access and low attacker privileges but enables full compromise of user sessions through crafted HTTP responses.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 27 Feb 2025 07:50:13 +0000