CVE-2025-12669 Overview
CVE-2025-12669 is an improper input sanitization vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). The flaw allows an authenticated user to inject HTML and JavaScript into email notifications delivered to other users. The vulnerability is classified under [CWE-94] Improper Control of Generation of Code. GitLab addressed the issue across affected branches in versions 18.9.7, 18.10.6, and 18.11.3. The defect affects all releases from 15.11 up to the patched versions.
Critical Impact
An authenticated attacker can deliver malicious HTML or scripts to recipient inboxes, enabling phishing, credential harvesting, and content spoofing through trusted GitLab notification emails.
Affected Products
- GitLab CE/EE versions 15.11 through 18.9.6
- GitLab CE/EE versions 18.10 through 18.10.5
- GitLab CE/EE versions 18.11 through 18.11.2
Discovery Timeline
- 2026-05-14 - CVE-2025-12669 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2025-12669
Vulnerability Analysis
The vulnerability resides in GitLab's email notification subsystem. GitLab fails to sanitize user-controlled input before embedding it into outbound notification emails. An authenticated user can craft input containing HTML tags or JavaScript that GitLab includes verbatim in notification messages. Recipients render this content when opening the email in clients that interpret HTML.
The attack requires authentication and user interaction from the recipient. The scope change indicates the impact extends beyond GitLab itself to the user's email client. Confidentiality and integrity impacts are limited but real, as injected content can mimic legitimate GitLab communications.
Root Cause
The root cause is missing output encoding when constructing email notification bodies. GitLab treats certain user-supplied fields as safe HTML rather than escaping them before rendering. This allows attacker-controlled markup to survive into the final email payload sent to subscribers, watchers, or assignees.
Attack Vector
An attacker with a valid GitLab account submits crafted content containing HTML or JavaScript through a feature that generates notifications, such as issue creation, merge request updates, or comments. GitLab dispatches notification emails to subscribed users with the unsanitized payload embedded. When recipients open the message, the email client may render injected HTML, display spoofed UI elements, or load remote resources controlled by the attacker. The vulnerability is exploitable over the network and requires recipient interaction. Refer to the GitLab Work Item Details and HackerOne Security Report for additional technical context.
Detection Methods for CVE-2025-12669
Indicators of Compromise
- Outbound GitLab notification emails containing unexpected <script>, <iframe>, <style>, or <a href="javascript:..."> constructs.
- Issue, merge request, or comment fields containing raw HTML markup submitted by non-administrative users.
- User reports of GitLab notification emails displaying spoofed branding, fake login prompts, or unexpected external links.
Detection Strategies
- Audit GitLab application logs and the audit event stream for issue, comment, and merge request bodies containing HTML tags or javascript: URIs.
- Inspect the outbound mail queue or SMTP relay logs for notification messages whose bodies contain unescaped HTML originating from user input fields.
- Correlate authenticated user activity with downstream complaints about phishing-like GitLab emails.
Monitoring Recommendations
- Enable GitLab audit logging at the instance level and ship events to a centralized analytics platform for retention and search.
- Monitor the GitLab version reported by /help or the API and alert when instances run versions earlier than 18.9.7, 18.10.6, or 18.11.3.
- Add detection rules at the email gateway to flag inbound messages from GitLab senders that contain script tags or suspicious link redirections.
How to Mitigate CVE-2025-12669
Immediate Actions Required
- Upgrade GitLab CE/EE to 18.9.7, 18.10.6, or 18.11.3 depending on the deployed branch.
- Review recent issues, comments, and merge requests for embedded HTML or JavaScript and remove malicious content.
- Notify users to treat GitLab notification emails with caution until the patch is applied and verify links before clicking.
Patch Information
GitLab released fixed versions on May 13, 2026. Administrators should apply the patch matching their deployed branch: 18.9.7 for the 18.9.x line, 18.10.6 for the 18.10.x line, or 18.11.3 for the 18.11.x line. See the GitLab Release Patch Announcement for upgrade instructions and full release notes.
Workarounds
- Restrict account creation and limit project membership to trusted users until the upgrade is complete.
- Configure the upstream email gateway to strip active HTML content from GitLab notification messages.
- Advise recipients to view GitLab notification emails in plain-text mode where supported by their mail client.
# Upgrade example for an Omnibus GitLab installation on Debian/Ubuntu
sudo apt-get update
sudo apt-get install gitlab-ee=18.11.3-ee.0
sudo gitlab-ctl reconfigure
sudo gitlab-rake gitlab:check SANITIZE=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
