Security researchers have uncovered vulnerabilities in GitLab’s Community Edition and Enterprise Edition platforms, prompting the company to release critical security patches. On December 10th, 2025, Gitlab released update versions (18.6.2, 18.5.4, and 18.4.6) addressing ten significant vulnerabilities across both their Community and Enterprise editions.
These vulnerabilities pose a serious threat to users, prompting immediate action for self-managed installations. The severity of these flaws ranges from high-severity to low, with several vulnerabilities impacting crucial functionality like cross-site scripting (XSS), web services denial of service (DoS), authentication bypass, and information disclosure.
A Closer Look at the Vulnerabilities:
The most concerning vulnerabilities include:
- Four High-Severity XSS Flaws: These flaws allow for unauthorized actions on behalf of other users.
- One specific flaw targets Wiki functionality, allowing attackers to exploit it with malicious input.
- XSS Vulnerability in Swagger UI: This vulnerability allows attackers to execute arbitrary JavaScript code on the application’s frontend, potentially leading to website defacement or data theft.
- GraphQL Denial-of-Service (DoS) Issue: This flaw enables attackers to bypass query limits and trigger service disruptions.
- Authentication Bypass: This vulnerability affects users of WebAuthn two-factor authentication, allowing attackers to bypass security controls and gain access to protected resources.
Addressing the Vulnerabilities: Patching the Gaps
GitLab strongly recommends all self-managed installations upgrade immediately, as GitLab.com already runs patched versions. The patch includes database migrations that may affect upgrade timelines. Users running pre-18.4.6, 18.5.x before 18.5.4, or 18.6.x before 18.6.2 are particularly vulnerable and should update their systems as soon as possible.
How to Stay Protected
- Update your GitLab version: The most immediate action is to ensure the latest security updates are installed.
- Consider Multi-Node Deployments: For multi-node installations, utilizing zero-downtime procedures can help minimize service disruption during the update process.
While this update focuses on high-severity vulnerabilities, other issues were also addressed, such as information disclosure through error messages and HTML injection in merge request titles.
For more detailed information regarding affected version ranges and specific patch notes, consult the official GitLab release documentation.