InfoSecBulletin Cybersecurity for mankind
GitLab patches six vulnerabilities in Community Edition (CE) and Enterprise Edition (EE), with versions 18.2.1, 18.1.3, and 18.0.5 now ready for deployment.
The release addresses six security vulnerabilities, including two serious cross-site scripting (XSS) issues that threaten Kubernetes proxy functionality.
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
These patches address vulnerabilities found in GitLab’s HackerOne bug bounty program. Immediate action is highly advised for all self-managed installations.
Kubernetes Proxy Vulnerabilities:
This patch cycle addresses the most critical vulnerabilities, specifically targeting cross-site scripting attacks that exploit GitLab’s Kubernetes proxy functionality.
CVE-2025-4700, with a CVSS score of 8.7, impacts the Kubernetes proxy feature and may let authenticated attackers cause unintended content rendering, resulting in XSS in certain situations.
The vulnerability impacts all GitLab CE/EE versions from 15.10 before the current patches.
CVE-2025-4439 also tackles a related XSS vulnerability that specifically impacts instances delivered via content delivery networks (CDNs), assigned a CVSS score of 7.7.
The security researcher joaxcar identified both vulnerabilities via the HackerOne platform, underscoring the success of GitLab’s bug bounty program in uncovering significant security issues.
Information Disclosure and Access Control Issues:
Four medium-severity vulnerabilities complete the security patch roster, each carrying CVSS scores of 4.3.
CVE-2025-7001 reveals a sensitive information leak via resource_group API access. CVE-2025-4976 corrects access control issues for internal notes in GitLab Duo responses for Enterprise Edition users.
CVE-2025-0765 and CVE-2025-1299 fix problems with unauthorized access to service desk emails and deployment job logs.
These vulnerabilities show the thorough security review by GitLab’s team, with researchers iamgk808, rogerace, and pwnie responsibly disclosing their findings.
GitLab urges all users to upgrade to the latest patch versions immediately, noting that GitLab.com is already using these versions, while GitLab Dedicated customers do not need to take any action.
