CVE-2025-12029 Overview
GitLab patched a Cross-Site Scripting (XSS) vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE) that allowed unauthenticated attackers to inject malicious external scripts into the Swagger UI component. The flaw affects all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2. Successful exploitation allows attackers to perform unauthorized actions on behalf of another user. The weakness is classified as [CWE-79] Improper Neutralization of Input During Web Page Generation.
Critical Impact
An unauthenticated attacker can hijack authenticated user sessions and execute actions in the victim's context by injecting external scripts into the Swagger UI rendering path.
Affected Products
- GitLab Community Edition (CE) versions 15.11 through 18.4.5
- GitLab Enterprise Edition (EE) versions 18.5 through 18.5.3
- GitLab CE/EE versions 18.6 through 18.6.1
Discovery Timeline
- 2025-12-10 - GitLab releases patched versions 18.6.2, 18.5.4, and 18.4.6
- 2025-12-11 - CVE-2025-12029 published to NVD
- 2025-12-23 - Last updated in NVD database
Technical Details for CVE-2025-12029
Vulnerability Analysis
The vulnerability resides in GitLab's Swagger UI integration. Swagger UI renders OpenAPI documentation interactively within GitLab. The component fails to properly neutralize user-controllable input, allowing attackers to inject external JavaScript references into the rendered page. When an authenticated user accesses a crafted URL, the injected script executes in the browser under the GitLab origin.
Because the scope is changed (S:C in the CVSS vector), the injected script can affect resources beyond the vulnerable component itself. This includes the victim's authenticated GitLab session, repositories, and API tokens accessible from the browser. The attacker does not need credentials to craft the malicious payload, but a victim must interact with the link for exploitation to succeed.
Root Cause
The root cause is improper input neutralization in the Swagger UI configuration handling path. GitLab passed externally controllable parameters into the Swagger UI initialization without sufficient validation. This permitted reference to external script URLs, which Swagger UI then loaded and executed inside the GitLab document context.
Attack Vector
The attack vector is network-based with required user interaction. An attacker hosts a malicious JavaScript payload on an attacker-controlled server. The attacker then distributes a crafted GitLab URL that references the external script via the Swagger UI integration. When a logged-in GitLab user visits the link, the browser fetches and executes the attacker's script under the GitLab session, enabling session hijacking, CSRF-like actions, and data exfiltration.
No verified public proof-of-concept code is available. Refer to the HackerOne Security Report and the GitLab Issue Discussion for additional technical context.
Detection Methods for CVE-2025-12029
Indicators of Compromise
- HTTP requests to GitLab Swagger UI endpoints containing external URLs in query parameters, particularly references to .js files on untrusted domains
- Browser console errors or content security policy violations originating from /api/v4/ documentation routes
- Unexpected outbound requests from user browsers to attacker-controlled domains following GitLab page loads
- API token usage or repository modifications from sessions that visited unusual Swagger UI URLs
Detection Strategies
- Inspect web server and reverse proxy logs for GitLab requests containing suspicious query string parameters referencing external JavaScript resources
- Deploy a strict Content Security Policy (CSP) in report-only mode to surface script-src violations on Swagger UI paths
- Correlate user session activity with referrer headers pointing to non-GitLab origins prior to sensitive API actions
Monitoring Recommendations
- Monitor GitLab audit logs for unauthorized actions performed shortly after user clicks on external links
- Alert on personal access token creation or SSH key additions following anomalous Swagger UI navigation
- Track DNS resolution from internal users to newly registered domains referenced in GitLab traffic
How to Mitigate CVE-2025-12029
Immediate Actions Required
- Upgrade self-managed GitLab installations to version 18.6.2, 18.5.4, or 18.4.6 depending on your release branch
- Audit personal access tokens, SSH keys, and recent project activity for unauthorized modifications since November 2025
- Inform GitLab users to avoid clicking GitLab links from untrusted sources until patching is verified
Patch Information
GitLab released patched versions 18.6.2, 18.5.4, and 18.4.6 on December 10, 2025. GitLab.com SaaS instances were patched by the vendor. See the GitLab Patch Release Announcement for upgrade instructions and full release notes.
Workarounds
- No official workaround is published by GitLab; upgrading is the recommended remediation path
- Apply a restrictive Content Security Policy at the reverse proxy layer to block execution of scripts from non-GitLab origins
- Restrict access to Swagger UI documentation endpoints via network ACLs where the feature is not required
# Configuration example - upgrade GitLab Omnibus to a patched release
sudo apt-get update
sudo apt-get install gitlab-ce=18.6.2-ce.0
sudo gitlab-ctl reconfigure
sudo gitlab-ctl restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
