CVE-2025-0362: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab CE/EE affecting all versions from 7.7 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions, an attacker could potentially trick users into unintentionally authorizing sensitive actions on their behalf. The vulnerability was disclosed on April 9, 2025, and has been assigned CVE-2025-0362 (NVD, GitLab Release).

The vulnerability is classified as CWE-1021 (Improper Restriction of Rendered UI Layers or Frames). It has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N. This scoring indicates that the vulnerability requires network access, has high attack complexity, requires low privileges, and user interaction, with potential for high confidentiality and integrity impact but no availability impact (NVD).

The vulnerability could allow attackers to trick users into unintentionally authorizing sensitive actions on their behalf, potentially compromising both confidentiality and integrity of user actions within GitLab instances (GitLab Release).

GitLab has released patches in versions 17.8.7, 17.9.6, and 17.10.4 to address this vulnerability. All affected installations are strongly recommended to upgrade to these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take any action (GitLab Release).