CVE-2025-11224 Overview
A stored cross-site scripting (XSS) vulnerability has been identified in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2. The vulnerability exists due to improper input validation in the Kubernetes proxy functionality, which could allow an authenticated user to inject and execute malicious scripts in the context of other users' browser sessions.
Critical Impact
Authenticated attackers can execute stored XSS attacks through the Kubernetes proxy feature, potentially leading to session hijacking, credential theft, and unauthorized actions on behalf of other GitLab users.
Affected Products
- GitLab Community Edition (CE) versions 15.10 through 18.3.5
- GitLab Enterprise Edition (EE) versions 15.10 through 18.3.5
- GitLab CE/EE versions 18.4.0 through 18.4.3
- GitLab CE/EE versions 18.5.0 through 18.5.1
Discovery Timeline
- 2025-11-12 - GitLab releases security patch in version 18.5.2
- 2026-01-14 - CVE CVE-2025-11224 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2025-11224
Vulnerability Analysis
This stored cross-site scripting vulnerability resides in GitLab's Kubernetes proxy functionality, a feature that enables users to interact with Kubernetes clusters directly through the GitLab interface. The vulnerability stems from insufficient input validation and output encoding when processing user-supplied data that passes through the Kubernetes proxy.
When an authenticated user submits specially crafted input through the Kubernetes proxy feature, the malicious payload is stored within the application and subsequently rendered without proper sanitization when other users access the affected resource. This allows the attacker's JavaScript code to execute in the browser context of victim users who view the compromised content.
The attack requires user interaction (the victim must navigate to a page containing the stored payload), and the scope is changed, meaning the vulnerability can impact resources beyond the vulnerable component itself. While confidentiality and integrity impacts are limited, the stored nature of this XSS makes it particularly dangerous as the malicious payload persists and can affect multiple users over time.
Root Cause
The root cause of CVE-2025-11224 is improper input validation (CWE-79) in the Kubernetes proxy functionality. The application fails to properly sanitize user-controlled input before storing it and subsequently fails to encode the output when rendering the data back to users. This dual failure in both input validation and output encoding creates the conditions necessary for stored XSS exploitation.
Specifically, the Kubernetes proxy feature does not adequately filter or escape HTML entities and JavaScript code embedded within user input, allowing attackers to inject executable scripts that persist within the application.
Attack Vector
The attack leverages network-based access with low complexity. An attacker must have low-level privileges (authenticated user) to exploit this vulnerability. The attack flow proceeds as follows:
- An authenticated attacker identifies the vulnerable input field within the Kubernetes proxy functionality
- The attacker crafts a malicious payload containing JavaScript code designed to steal session tokens, credentials, or perform actions on behalf of victims
- The payload is submitted and stored within the GitLab application
- When other authenticated users access the page containing the stored payload, the malicious script executes in their browser context
- The attacker can then harvest stolen credentials, hijack sessions, or perform unauthorized actions
The vulnerability requires user interaction as victims must navigate to the affected page for the payload to execute. For detailed technical analysis, refer to the HackerOne Security Report #3277291 and the GitLab Issue Discussion.
Detection Methods for CVE-2025-11224
Indicators of Compromise
- Unexpected JavaScript execution or browser behavior when accessing Kubernetes-related pages in GitLab
- Suspicious user activity logs showing unusual API calls or data access patterns following visits to Kubernetes proxy pages
- Network traffic analysis revealing exfiltration of session tokens or credentials to external domains
- User reports of unexpected authentication prompts or session invalidations
Detection Strategies
- Monitor GitLab application logs for suspicious input patterns containing HTML tags, JavaScript event handlers, or script elements in Kubernetes proxy requests
- Implement Content Security Policy (CSP) headers to detect and block unauthorized script execution, monitoring CSP violation reports
- Deploy web application firewalls (WAF) with XSS detection rules specifically targeting Kubernetes proxy endpoints
- Enable browser-based XSS auditors and monitor for triggered alerts during GitLab usage
Monitoring Recommendations
- Audit user input submitted to Kubernetes proxy functionality for potentially malicious patterns
- Review GitLab access logs for unusual patterns of page views that may indicate reconnaissance or exploitation attempts
- Monitor for unexpected changes to user permissions, project settings, or repository configurations that may result from XSS exploitation
- Implement real-time alerting for CSP violations originating from GitLab instances
How to Mitigate CVE-2025-11224
Immediate Actions Required
- Upgrade GitLab CE/EE to version 18.5.2, 18.4.4, or 18.3.6 depending on your current version branch
- If immediate patching is not possible, consider temporarily restricting access to Kubernetes proxy functionality
- Review user activity logs for signs of potential exploitation prior to patching
- Implement or strengthen Content Security Policy headers as a defense-in-depth measure
Patch Information
GitLab has released patched versions addressing this vulnerability. Organizations should upgrade to the following versions based on their current deployment:
- For versions 18.5.x: Upgrade to 18.5.2 or later
- For versions 18.4.x: Upgrade to 18.4.4 or later
- For versions 15.10 through 18.3.x: Upgrade to 18.3.6 or later
Refer to the GitLab Patch Release Announcement for complete patch details and upgrade instructions.
Workarounds
- Restrict access to Kubernetes integration features to only trusted users until patching can be completed
- Implement strict Content Security Policy headers to mitigate the impact of successful XSS exploitation
- Enable additional logging and monitoring on GitLab instances to detect potential exploitation attempts
- Consider network segmentation to limit the potential blast radius if exploitation occurs
# Example: Adding restrictive CSP headers in GitLab NGINX configuration
# Add to /etc/gitlab/gitlab.rb
nginx['custom_gitlab_server_config'] = "add_header Content-Security-Policy \"default-src 'self'; script-src 'self'; object-src 'none';\";"
# After modifying, reconfigure GitLab
sudo gitlab-ctl reconfigure
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
