CVE-2025-2254 — Cross-site Scripting in Gitlab

CWE-79 — Cross-site Scripting6 documents6 sources

Severity

6.1MEDIUMNVD

EPSS

0.3%

top 48.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedJun 12

Description

An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. Improper output encoding in the snipper viewer functionality lead to Cross-Site scripting attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

▶CVEListV5gitlab/gitlab17.9 — 17.10.8+2

▶NVDgitlab/gitlab17.9.0 — 17.10.8+2

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

OSV

CVE-2025-2254: An issue has been discovered in GitLab CE/EE affecting all versions from 17↗2025-06-12

▶

GHSA

GHSA-27jm-6pj2-8w7g: An issue has been discovered in GitLab CE/EE affecting all versions from 17↗2025-06-12

▶

📋Vendor Advisories

GitLab

CVE-2025-2254: An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. Improper o↗2025-06-12

▶

Debian

CVE-2025-2254: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 be...↗2025

▶

🕵️Threat Intelligence

Bleepingcomputer

GitLab patches high severity account takeover, missing auth issues↗2025-06-12

▶