CVE-2025-2255
Published: 27 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-2255 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, in the AppSec component of GitLab Enterprise Edition (EE) and Community Edition (CE). It affects all versions from 13.5.0 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1. The flaw stems from certain error messages that could enable XSS attacks.
With a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), the vulnerability can be exploited over the network by an attacker possessing low privileges. Exploitation requires user interaction and low attack complexity, but successful attacks change scope and result in high impacts to confidentiality and integrity, such as potential session theft or manipulation of user data in the victim's browser.
Mitigation requires upgrading to GitLab versions 17.8.6, 17.9.3, or 17.10.1 or later. Further details on the issue and resolution are documented in the GitLab issue tracker at https://gitlab.com/gitlab-org/gitlab/-/issues/524635 and the corresponding HackerOne report at https://hackerone.com/reports/2994150.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
XSS vuln in public-facing GitLab web app enables T1190 (exploit public-facing application) and T1059.007 (JavaScript execution via injected scripts in error messages), facilitating session theft.