CVE-2025-0376

CVE-2025-0376 is a cross-site scripting (XSS) vulnerability, mapped to CWE-79, affecting GitLab Community Edition (CE) and Enterprise Edition (EE) in all versions from 13.3 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2. The flaw exists in a change page component, enabling unauthorized code execution. Published on 2025-02-12, it carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and potential for elevated impacts across scopes.

An authenticated attacker with low privileges (PR:L) can exploit this by crafting a malicious change page and tricking a user (UI:R) into interacting with it, such as via a phishing link. Exploitation allows execution of unauthorized actions in the victim's browser context, potentially compromising high confidentiality and integrity, such as stealing session data or performing actions on the victim's behalf within the GitLab instance.

Mitigation requires upgrading to patched versions: 17.6.5 or later for the 17.6 series, 17.7.4 or later for the 17.7 series, and 17.8.2 or later for the 17.8 series. Further details on the issue and resolution are documented in the GitLab issue tracker at https://gitlab.com/gitlab-org/gitlab/-/issues/512603 and the originating HackerOne report at https://hackerone.com/reports/2930243.