Preface: The computer industry favors GitLab because it provides a comprehensive, integrated software development platform that covers everything from planning and code management to continuous integration and deployment. This “full operation and maintenance” approach simplifies the software development life cycle and promotes collaboration between different teams. GitLab’s open source nature, free basic version, and strong community have further enhanced its popularity.

Background: GitLab Enterprise Edition (EE) is the self-hosted, open-core version of the GitLab platform. It builds upon the core features of GitLab Community Edition (CE) and offers additional features, support, and licensing options designed for enterprise users. EE is not a free-to-use version but offers a free tier for initial self-hosting and then provides paid subscription levels (Core, Starter, Premium, and Ultimate) for enhanced features and support.

Vulnerability details: An issue has been discovered in GitLab EE that allows for cross-site-scripting attack and content security policy bypass in a user’s browser under specific conditions, affecting all versions from 16.6 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1.

My Speculation: The issue stems from improper sanitization of user-controllable input, which is then rendered in a web page. This is a classic DOM-based XSS scenario, where the browser executes injected scripts due to insufficient input validation and output encoding.

Official announcement: Please see the link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-1763