CVE-2025-0314

High

Published: 24 January 2025

Published

24 January 2025

Modified

05 August 2025

KEV Added

—

Patch

—

CVSS Score 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Score 0.0790 92.0th percentile

Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Description

An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.6.4, 17.7 before 17.7.3, and 17.8 before 17.8.1. Improper rendering of certain file types lead to cross-site scripting.

Security Summary

CVE-2025-0314 is a cross-site scripting (XSS) vulnerability, classified as CWE-79, discovered in GitLab Community Edition (CE) and Enterprise Edition (EE). It affects all versions from 17.2 prior to 17.6.4, 17.7 prior to 17.7.3, and 17.8 prior to 17.8.1. The root cause is improper rendering of certain file types, which enables XSS attacks within the GitLab interface.

With a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), the vulnerability can be exploited over the network by an attacker possessing low privileges, such as a regular authenticated user. Exploitation requires low complexity but user interaction, typically by tricking a victim into viewing or interacting with a malicious file in GitLab. Success grants high confidentiality and integrity impacts across the changed scope, allowing potential theft of session data, cookies, or execution of arbitrary scripts in the victim's browser context.

Advisories indicate mitigation through upgrading to patched versions: 17.6.4, 17.7.3, or 17.8.1 and later. Additional details are available in the GitLab issue tracker at https://gitlab.com/gitlab-org/gitlab/-/issues/512118 and the originating HackerOne report at https://hackerone.com/reports/2922313.

Details

CWE(s): CWE-79

Affected Products

gitlab

17.8.0 · 17.2.0 — 17.6.4 · 17.2.0 — 17.6.4 · 17.7.0 — 17.7.3

References

https://gitlab.com/gitlab-org/gitlab/-/issues/512118
Broken Link · cve@gitlab.com
https://hackerone.com/reports/2922313
Permissions Required · cve@gitlab.com