CVE-2025-2255 — Cross-site Scripting in Gitlab

CWE-79 — Cross-site Scripting CWE-416 — Use After Free CWE-345 — Insufficient Verification of Data Authenticity7 documents7 sources

Severity

5.4MEDIUMNVD

EPSS

0.2%

top 63.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab EE +1 more

Timeline

PublishedMar 27

Description

An issue has been discovered in Gitlab EE/CE for AppSec affecting all versions from 13.5.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. Certain error messages could allow Cross-Site Scripting attacks (XSS). for AppSec.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages6 packages

▶CVEListV5gitlab/gitlab17.9 — 17.9.3+1

▶NVDgitlab/gitlab13.5.0 — 17.8.6+2

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ee

🔴Vulnerability Details

GHSA

GHSA-9pqg-5frc-r6c9: An issue has been discovered in Gitlab EE/CE for AppSec affecting all versions from 13↗2025-03-27

▶

OSV

CVE-2025-2255: An issue has been discovered in Gitlab EE/CE for AppSec affecting all versions from 13↗2025-03-27

▶

📋Vendor Advisories

GitLab

CVE-2025-2255: An issue has been discovered in Gitlab EE/CE for AppSec affecting all versions from 13.5.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1↗2025-03-27

▶

Debian

CVE-2025-2255: gitlab - An issue has been discovered in Gitlab EE/CE for AppSec affecting all versions f...↗2025

▶

Microsoft

A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy allowing an attacker to pass the X-Client-IP header to the target WSGI application b↗2022-08-09

▶