GitLab has patched a host of worrying security issues
Among the flaws were two critical severity issues

- GitLab releases patch for nine flaws, including two critical severity ones
- The critical flaws allowed threat actors to bypass authentication and could lead to data exfiltration
- Patch is available now, with GitLab urging users to apply it
GitLab has patched nine vulnerabilities affecting its Community Edition (CE) and Enterprise Edition (EE) solutions, and urged users to apply the patch immediately.
In a security advisory published, GitLab said that among the nine flaws are two critical severity ones, which allow threat actors to bypass authentication.
Users are urged to bring their GitLab CE/EE to versions 17.7.7, 17.8.5, and 17.9.2, as soon as possible. GitLab.com is already patched, and GitLab Dedicated customers will be updated automatically, so no action is required on their end. However, users who run self-managed installations will need to patch up, as well.
Get Incogni at 55% off with code TECHRADAR
Remove your personal information from the internet with ease. Incogni protects your online
identity and reduces unwanted robocalls and spam emails.
Preferred partner (What does this mean?)
Mitigating and patching
"We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible," GitLab said.
The two critical severity flaws are tracked as CVE-2025-25291 and CVE-2025-25292. They were both discovered in the ruby-saml library, which is used for SAML Single Sign-On (SSO) authentication at the instance or group level. An authenticated attacker, with access to a valid signed SAML document, can impersonate another user with the same SAML Identity Provider (IdP) environment, and thus gain access to their account.
This, in turn, could lead to data exfiltration, privilege escalation, and more.
Users who cannot apply the patch immediately should mitigate the risk by making sure all users on GitLab self-managed instances have 2FA set up (2FA at the identity provider level does not help). They should also disable the SAML two-factor bypass option, and should request admin approval for auto-created users.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
GitLab stressed that these should only be seen as temporary mitigations, and that the only way to permanently address the issue is to apply the patch.
GitHub says its platform is not affected by this discovery, since it stopped using the ruby-saml library more than a decade ago,, BleepingComputer found.
"GitHub doesn't currently use ruby-saml for authentication, but began evaluating the use of the library with the intention of using an open source library for SAML authentication once more," GitHub said.
Via BleepingComputer
You might also like
- GitLab critical authentication flaw patched in Community and Enterprise edition
- We've rounded up the best password managers
- Take a look at our guide to the best authenticator app
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.

















