PT-2025-50584 · Gitlab · Gitlab Ce/Ee
X0Abcd
·
Published
2025-12-10
·
Updated
2025-12-15
·
CVE-2025-12029
CVSS v3.1
8.0
High
| Vector | AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
GitLab CE/EE versions 15.11 through 18.4.6
GitLab CE/EE versions 18.5 through 18.5.4
GitLab CE/EE versions 18.6 through 18.6.2
Description
GitLab CE/EE is affected by an issue that, under certain circumstances, could allow an unauthenticated user to perform unauthorized actions on behalf of another user. This is possible through the injection of malicious external scripts into the Swagger UI. The issue is related to improper neutralization of input during web page generation, specifically a Cross-site Scripting condition.
Recommendations
GitLab CE/EE versions 15.11 through 18.4.6 should be updated to a version later than 18.4.6.
GitLab CE/EE versions 18.5 through 18.5.4 should be updated to a version later than 18.5.4.
GitLab CE/EE versions 18.6 through 18.6.2 should be updated to a version later than 18.6.2.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gitlab Ce/Ee