CVE-2025-4439: 
GitLab vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability has been identified in GitLab CE/EE, tracked as CVE-2025-4439. The vulnerability affects all versions from 15.10 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1. This security issue could allow an authenticated user to perform cross-site scripting attacks when the GitLab instance is served through certain content delivery networks (GitLab Release, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.7 (High severity) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N. The issue specifically relates to the handling of content when GitLab instances are served through content delivery networks, potentially allowing for cross-site scripting attacks (GitLab Release).

The vulnerability could allow authenticated users to perform cross-site scripting attacks, potentially leading to the execution of arbitrary web scripts or HTML in a victim's browser context. This could result in theft of sensitive information, session hijacking, or other malicious actions when the GitLab instance is accessed through certain CDNs (GitLab Release).

GitLab has released security patches to address this vulnerability. Users are strongly advised to upgrade to the following fixed versions: GitLab CE/EE version 18.0.5, 18.1.3, or 18.2.1. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Release, ASEC).