CVE-2025-1763: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab Enterprise Edition (EE) that allows for cross-site-scripting attack and content security policy bypass in a user's browser under specific conditions. The vulnerability, identified as CVE-2025-1763, affects all versions from GitLab 16.6 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1. The vulnerability was discovered and reported through GitLab's HackerOne bug bounty program by researcher joaxcar (GitLab Patch, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.7 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N. This scoring indicates that the vulnerability requires network access, low attack complexity, low privileges, and user interaction to exploit. The scope is changed, and it can result in high impacts to both confidentiality and integrity, though availability is not affected. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability enables attackers to perform cross-site scripting attacks and bypass content security policy in a user's browser under specific conditions. This could potentially lead to unauthorized access to sensitive information and manipulation of user data within the GitLab instance (GitLab Patch).

GitLab has released patches to address this vulnerability in versions 17.9.7, 17.10.5, and 17.11.1. Users are strongly recommended to upgrade their GitLab installations to one of these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take any action (GitLab Patch).