CVE-2025-7739: 
GitLab vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability identified as CVE-2025-7739 was discovered in GitLab CE/EE affecting all versions from 18.2 before 18.2.2. The vulnerability allows authenticated users to achieve stored cross-site scripting by injecting malicious HTML content in scoped label descriptions. The issue was discovered through GitLab's HackerOne bug bounty program by researcher yvvdwf and was patched on August 13, 2025 (GitLab Patch, GBHackers).

The vulnerability has been assigned a CVSS v3.1 base score of 8.7 HIGH with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N. This indicates the vulnerability can be exploited over the network with low attack complexity, requires low privileges and user interaction, has changed scope, and can result in high confidentiality and integrity impacts without affecting availability (GitLab Patch).

The vulnerability enables authenticated users to inject malicious HTML content into scoped label descriptions, which could lead to stored cross-site scripting attacks. When successful, this could allow attackers to execute actions on behalf of other users who view the compromised labels (GBHackers, SecurityOnline).

GitLab has released patches to address this vulnerability in version 18.2.2. Organizations running affected versions are strongly recommended to upgrade immediately to the patched version. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Patch).