An issue has been discovered in GitLab EE that allows for cross-site-scripting attack and content security policy bypass in a user's browser under specific conditions, affecting all versions from 16.6 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1.
Fixes

Solution

Upgrade to versions 17.9.7, 17.10.5, 17.11.1 or above.


Workaround

No workaround given by the vendor.

History

Tue, 12 Aug 2025 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:17.11.0:*:*:*:enterprise:*:*:*

Fri, 20 Jun 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 20 Jun 2025 17:30:00 +0000

Type Values Removed Values Added
Description An issue has been discovered in GitLab EE that allows for cross-site-scripting attack and content security policy bypass in a user's browser under specific conditions, affecting all versions from 16.6 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1.
Title Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-79
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2025-06-20T17:27:26.650Z

Reserved: 2025-03-17T16:02:04.026Z

Link: CVE-2025-2443

cve-icon Vulnrichment

Updated: 2025-06-20T17:27:18.902Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-20T18:15:28.270

Modified: 2025-08-12T14:50:31.247

Link: CVE-2025-2443

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.