CVE-2025-9642: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab CE/EE affecting all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could allow an attacker to inject malicious content that may lead to account takeover. The vulnerability was disclosed on September 26, 2025, and has been assigned CVE-2025-9642 (NVD).

The vulnerability is classified as a Cross-site Scripting (XSS) issue in Script Gadgets affecting both GitLab Community Edition (CE) and Enterprise Edition (EE). It has received a CVSS v3.1 base score of 8.7 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N. The National Vulnerability Database has assigned an even higher CVSS score of 9.6 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (GitLab Release).

The vulnerability could allow an unauthenticated user to execute actions on behalf of other users by injecting malicious content. This could potentially lead to account takeover, compromising the confidentiality and integrity of affected GitLab instances (GitLab Release).

GitLab has released patches to address this vulnerability in versions 18.2.7, 18.3.3, and 18.4.1. Users are strongly recommended to upgrade to these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take any action (GitLab Release).

The vulnerability was reported through GitLab's HackerOne bug bounty program by researcher joaxcar, demonstrating the effectiveness of GitLab's security research community engagement (GitLab Release).