CVE-2025-0555: 
GitLab vulnerability analysis and mitigation

A Cross Site Scripting (XSS) vulnerability was discovered in GitLab Enterprise Edition (EE) affecting versions from 16.6 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1. The vulnerability was reported through GitLab's HackerOne bug bounty program by researcher joaxcar and was assigned identifier CVE-2025-0555 (GitLab Release, CVE Mitre).

The vulnerability allows attackers to bypass security controls and execute arbitrary scripts in a user's browser under specific conditions. It has been assigned a CVSS score of 7.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity. The vulnerability specifically affects the Maven Dependency Proxy component in GitLab-EE (Security Online, GitLab Release).

If exploited, this vulnerability could allow attackers to execute malicious scripts in users' browsers, potentially leading to theft of sensitive data or unauthorized actions within the GitLab instance. The high severity CVSS score indicates significant potential impact on confidentiality and integrity of the affected systems (Security Online).

GitLab has released patches to address this vulnerability in versions 17.9.1, 17.8.4, and 17.7.6. All affected organizations running self-managed GitLab installations are strongly recommended to upgrade to one of these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take any action (GitLab Release).