CVE-2025-12716 Overview
GitLab has patched a stored cross-site scripting (XSS) flaw [CWE-79] in GitLab Community Edition (CE) and Enterprise Edition (EE) that allows an authenticated attacker to perform unauthorized actions in the context of another user. The issue affects all versions from 18.4 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2. An attacker creates a wiki page containing malicious content, and when a victim renders the page, the payload executes in the victim's browser session. The vulnerability has a CVSS score of 8.7 and requires user interaction. GitLab released fixes in versions 18.4.6, 18.5.4, and 18.6.2 on December 10, 2025.
Critical Impact
An authenticated user can execute actions on behalf of another GitLab user by tricking them into viewing a malicious wiki page, leading to account compromise and unauthorized repository or pipeline modifications.
Affected Products
- GitLab Community Edition (CE) 18.4 before 18.4.6
- GitLab Community Edition / Enterprise Edition 18.5 before 18.5.4
- GitLab Community Edition / Enterprise Edition 18.6 before 18.6.2
Discovery Timeline
- 2025-12-10 - GitLab releases patch versions 18.4.6, 18.5.4, and 18.6.2
- 2025-12-11 - CVE-2025-12716 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-12716
Vulnerability Analysis
The vulnerability is a stored cross-site scripting flaw classified under [CWE-79]. GitLab wikis allow project members to create and edit Markdown or other markup pages. Under certain conditions, the wiki rendering pipeline fails to sanitize attacker-controlled content before returning it to other users. When a victim navigates to the malicious wiki page, the injected payload executes within the victim's authenticated GitLab session.
Because the attack runs in the browser of an authenticated user, it inherits that user's GitLab privileges. An attacker can issue API requests, modify repository contents, change project settings, or alter CI/CD pipelines using the victim's identity. The scope change in the impact metrics reflects this cross-context execution.
Root Cause
The root cause is insufficient output encoding or sanitization in the wiki content rendering path. GitLab's wiki feature accepts user-supplied markup, and a specific content pattern bypassed the existing sanitizer, allowing executable script to reach the rendered DOM. GitLab has not released full technical details of the bypass to limit exploitation against unpatched instances.
Attack Vector
Exploitation requires an authenticated attacker with permission to create or edit wiki pages on a target project. The attacker crafts a wiki page with a malicious payload and waits for a higher-privileged user, such as a maintainer or owner, to view it. User interaction is required because the victim must load the wiki page. No additional privileges beyond standard project membership are needed to weaponize the issue.
No public proof-of-concept code is currently available. Technical discussion is tracked in the GitLab Issue Discussion and the HackerOne Security Report.
Detection Methods for CVE-2025-12716
Indicators of Compromise
- Wiki pages containing unexpected <script>, javascript:, or event-handler attributes such as onerror= and onload= in stored content
- Unusual GitLab API calls (token creation, SSH key addition, project transfer) originating from sessions that immediately followed a wiki page view
- New personal access tokens or webhooks created shortly after a user accessed a project wiki
Detection Strategies
- Query GitLab audit events for wiki page creation and update activity, correlating authors with subsequent privileged actions taken by viewers
- Inspect the wiki_pages and related Git wiki repositories for HTML or script content patterns that should not appear in rendered Markdown output
- Hunt web access logs for GitLab /wikis/ requests followed by sensitive API endpoint calls (/api/v4/users/*/personal_access_tokens, /api/v4/projects/*/access_tokens) from the same session
Monitoring Recommendations
- Enable and centralize GitLab audit logs, including wiki content modifications, and forward them to a SIEM for correlation
- Alert on creation of personal access tokens, SSH keys, or project tokens within a short window of wiki page rendering by the same user
- Track GitLab version inventory and flag any self-managed instance still running 18.4.x, 18.5.x, or 18.6.x below the patched releases
How to Mitigate CVE-2025-12716
Immediate Actions Required
- Upgrade self-managed GitLab CE/EE to 18.4.6, 18.5.4, or 18.6.2 as appropriate for your branch
- Audit wiki pages created or modified during the vulnerable window for suspicious markup or script content
- Rotate personal access tokens, SSH keys, and session cookies for users who viewed untrusted wikis prior to patching
- Review audit logs for unexpected administrative actions performed by maintainers or owners
Patch Information
GitLab addressed CVE-2025-12716 in the December 10, 2025 patch release. The fixed versions are GitLab 18.4.6, 18.5.4, and 18.6.2 for both Community and Enterprise editions. Details are available in the GitLab Release Patch Note. GitLab.com SaaS tenants are already running the patched version.
Workarounds
- Restrict wiki creation and edit permissions to trusted project members until the upgrade is completed
- Disable the wiki feature on sensitive projects through project settings if an immediate upgrade is not possible
- Enforce a strict Content Security Policy at the reverse proxy in front of GitLab to limit inline script execution
# Example: disable the wiki feature on a project via the GitLab API
curl --request PUT \
--header "PRIVATE-TOKEN: <admin_token>" \
--data "wiki_access_level=disabled" \
"https://gitlab.example.com/api/v4/projects/<project_id>"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
