GitLab’s Code Execution Nightmare: Critical Flaws Expose DevOps to Attack

When a platform as central as GitLab - a linchpin of modern software development - suffers security lapses, the ripple effects can threaten entire organizations. This week, a sweeping set of vulnerabilities has emerged, revealing how attackers could hijack code repositories, extract secrets, and even bring DevOps pipelines to a standstill. For thousands of teams relying on GitLab, the race is on to patch before cybercriminals exploit these cracks.

GitLab has released urgent patches for a cluster of vulnerabilities that, if left unaddressed, could let attackers run malicious JavaScript in users’ browsers, access restricted AI model settings, and even disable services via denial-of-service attacks. These flaws lurked in essential features - GitLab Flavored Markdown, Web IDE, AI GraphQL endpoints, project imports, and runner management - affecting both the integrity and availability of the platform.

The most dangerous issues, CVE-2025-9222 and CVE-2025-13761, enable stored and reflected XSS attacks. In practice, a malicious actor could craft Markdown or web pages that execute code in an unsuspecting victim’s browser, potentially stealing credentials, siphoning session tokens, or hijacking administrative actions. With a CVSS score of 8.7, these bugs are considered high risk and require immediate attention.

Other vulnerabilities center on missing authorization checks. For example, CVE-2025-13772 and CVE-2025-13781 permit unauthorized users to view or alter AI provider settings, undermining the confidentiality and control of AI-powered workflows. Meanwhile, flaws like CVE-2025-10569 and CVE-2025-11246 could allow authenticated users to crash services or manipulate project runners outside their scope - potentially crippling CI/CD pipelines.

GitLab’s response: a rapid release of patches (versions 18.7.1, 18.6.3, and 18.5.5) distributed across all major deployment methods. While GitLab.com has already been updated, self-managed users must act themselves. Single-node setups should prepare for downtime due to database migrations, but multi-node environments can leverage zero-downtime upgrade procedures.

Experts warn that these vulnerabilities, if weaponized, could serve as an entry point for sophisticated supply chain attacks or lead to devastating internal breaches. GitLab administrators are urged not only to patch but also to audit their systems, restrict external access, and monitor for anomalies - especially in components targeted by these flaws.

As the dust settles, this incident is a stark reminder: in DevOps, complacency is the enemy. The speed of patching can be the difference between thwarting an attacker and becoming the next headline. For GitLab users, the message is clear - update now, or face the consequences.

WIKICROOK

• Cross: Cross-Site Scripting (XSS) is a cyberattack where hackers inject malicious code into websites to steal user data or hijack sessions.
• CVSS: CVSS (Common Vulnerability Scoring System) is a standard method for rating the severity of security flaws, with scores from 0.0 to 10.0.
• Authorization bypass: Authorization bypass is a flaw that allows users to access systems or data without proper permission checks, leading to potential security risks.
• Denial of service (DoS): A Denial of Service (DoS) attack overloads or crashes a device or service, making it unavailable to users or other systems.
• Runner: A runner is a component in CI/CD systems that executes automated jobs, such as testing and deployment, to streamline and secure development workflows.