CVE-2025-14560 Overview
A Cross-Site Scripting (XSS) vulnerability has been identified in GitLab CE/EE that affects all versions from 17.1 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4. Under certain conditions, this vulnerability allows an authenticated user to perform unauthorized actions on behalf of another user by injecting malicious content into the vulnerability code flow feature.
Critical Impact
Authenticated attackers can inject malicious scripts to hijack user sessions, perform unauthorized actions, and potentially compromise sensitive repository data within affected GitLab instances.
Affected Products
- GitLab CE/EE versions 17.1 to 18.6.5
- GitLab CE/EE versions 18.7 to 18.7.3
- GitLab CE/EE versions 18.8 to 18.8.3
Discovery Timeline
- 2026-02-10 - GitLab releases security patch (versions 18.8.4, 18.7.4, 18.6.6)
- 2026-02-11 - CVE CVE-2025-14560 published to NVD
- 2026-02-11 - Last updated in NVD database
Technical Details for CVE-2025-14560
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw exists within GitLab's vulnerability code flow feature, where user-supplied input is not properly sanitized before being rendered in the browser context.
The attack requires authentication to the GitLab instance and user interaction (such as viewing a compromised page). When exploited, the attacker can execute arbitrary JavaScript code in the context of another authenticated user's session, potentially leading to session hijacking, data theft, or performing unauthorized actions within the GitLab environment.
Root Cause
The root cause stems from insufficient input validation and output encoding in the vulnerability code flow feature. When processing security vulnerability data, the application fails to properly sanitize or escape user-controlled content before rendering it in the web interface. This allows malicious HTML or JavaScript payloads to be stored and subsequently executed when other users view the affected content.
Attack Vector
The attack is network-accessible and requires the attacker to have low privileges (authenticated user status) on the target GitLab instance. The attacker must craft a malicious payload containing JavaScript code and inject it into the vulnerability code flow data. When another authenticated user views this content, the malicious script executes in their browser context, allowing the attacker to:
- Steal session tokens and authentication cookies
- Perform actions on behalf of the victim user
- Access sensitive project and repository data
- Modify security vulnerability reports
- Potentially escalate privileges if the victim has higher access levels
The vulnerability exploits the trust relationship between the GitLab server and its users, leveraging stored XSS to persist the malicious payload within the application.
Detection Methods for CVE-2025-14560
Indicators of Compromise
- Unusual JavaScript or HTML content within vulnerability code flow entries
- Unexpected API calls originating from user sessions after viewing vulnerability reports
- Session tokens being transmitted to external domains
- Anomalous user activity patterns following interaction with vulnerability scanning features
Detection Strategies
- Monitor web application logs for suspicious script injection patterns in vulnerability code flow submissions
- Implement Content Security Policy (CSP) violation reporting to detect inline script execution attempts
- Deploy web application firewall (WAF) rules to detect XSS payload signatures in requests
- Audit vulnerability code flow entries for unexpected HTML or script tags
Monitoring Recommendations
- Enable detailed GitLab audit logging for all vulnerability management operations
- Configure browser-based XSS detection headers and monitor for violations
- Implement real-time alerting for unusual session behavior following vulnerability report access
- Review access patterns to vulnerability code flow features for anomalous activity
How to Mitigate CVE-2025-14560
Immediate Actions Required
- Upgrade GitLab CE/EE to version 18.8.4, 18.7.4, or 18.6.6 immediately
- Review vulnerability code flow entries for any suspicious or malicious content
- Rotate session tokens for users who may have accessed compromised vulnerability reports
- Implement additional input validation at the network perimeter using WAF rules
Patch Information
GitLab has released patched versions addressing this vulnerability. Organizations should upgrade to one of the following versions based on their current deployment:
| Current Version Range | Recommended Upgrade |
|---|---|
| 17.1 - 18.6.5 | 18.6.6 |
| 18.7 - 18.7.3 | 18.7.4 |
| 18.8 - 18.8.3 | 18.8.4 |
For detailed patch information, refer to the GitLab Patch Release Notification and the GitLab Issue Tracker. The vulnerability was reported through the HackerOne Bug Bounty Program.
Workarounds
- Restrict access to vulnerability code flow features to trusted users only until patches can be applied
- Implement strict Content Security Policy headers to mitigate script execution
- Enable HTTP-only and Secure flags on all session cookies
- Consider temporarily disabling the vulnerability code flow feature if immediate patching is not possible
- Deploy network-level filtering to detect and block XSS payloads in transit
# GitLab upgrade command example
# For Omnibus installations:
sudo apt-get update
sudo apt-get install gitlab-ce=18.8.4-ce.0
# or for Enterprise Edition:
sudo apt-get install gitlab-ee=18.8.4-ee.0
# Reconfigure GitLab after upgrade
sudo gitlab-ctl reconfigure
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
