CVE-2025-7734: 
GitLab vulnerability analysis and mitigation

A high-severity cross-site scripting (XSS) vulnerability (CVE-2025-7734) was discovered in GitLab CE/EE affecting all versions from 14.2 before 18.0.6, 18.1 before 18.1.4 and 18.2 before 18.2.2. The vulnerability exists in the blob viewer component that, under certain conditions, could allow attackers to execute actions on behalf of users by injecting malicious content (GitLab Patch, GBHackers).

The vulnerability has been assigned a CVSS v3.1 base score of 8.7 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N. This indicates the vulnerability can be exploited over networks with low attack complexity, requiring only low privileges and user interaction. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (GitLab Patch).

If successfully exploited, the vulnerability allows attackers to execute actions on behalf of other users through malicious content injection in the blob viewer component. The high CVSS score reflects the potential for significant compromise of user accounts and data confidentiality (GBHackers, SecurityOnline).

GitLab has released security patches to address this vulnerability. Users are strongly recommended to upgrade to the latest patched versions: 18.0.6, 18.1.4, or 18.2.2. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action. The patches include both regular migrations and post-deploy migrations that may impact upgrade processes (GitLab Patch).