CVE-2025-4700: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could potentially allow an attacker to trigger unintended content rendering leading to Cross-site Scripting (XSS). The vulnerability was disclosed on July 23, 2025, and affects both Community Edition (CE) and Enterprise Edition (EE) of GitLab (GitLab Release, NVD).

The vulnerability is classified as a Cross-site Scripting (XSS) issue (CWE-79) that specifically impacts the Kubernetes proxy feature in GitLab. It has been assigned a CVSS v3.1 base score of 8.7 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and user interaction to exploit. The scope is changed, with potential high impact on both confidentiality and integrity, while not affecting availability (GitLab Release).

The vulnerability could allow an attacker to perform cross-site scripting attacks, potentially leading to unauthorized access to sensitive information and the ability to modify content. The high CVSS score of 8.7 indicates significant potential impact on both confidentiality and integrity of the affected systems (GitLab Release).

GitLab has released patches to address this vulnerability in versions 18.0.5, 18.1.3, and 18.2.1. Organizations are strongly recommended to upgrade to these patched versions immediately. GitLab.com has already been updated with the security fix, and GitLab Dedicated customers do not need to take any action (GitLab Release).