GitLab has patched a host of worrying security issues

News
By published

Among the flaws were two critical severity issues

Representational image depecting cybersecurity protection
(Image credit: Shutterstock)
  • GitLab releases patch for nine flaws, including two critical severity ones
  • The critical flaws allowed threat actors to bypass authentication and could lead to data exfiltration
  • Patch is available now, with GitLab urging users to apply it

GitLab has patched nine vulnerabilities affecting its Community Edition (CE) and Enterprise Edition (EE) solutions, and urged users to apply the patch immediately.

In a security advisory published, GitLab said that among the nine flaws are two critical severity ones, which allow threat actors to bypass authentication.

Users are urged to bring their GitLab CE/EE to versions 17.7.7, 17.8.5, and 17.9.2, as soon as possible. GitLab.com is already patched, and GitLab Dedicated customers will be updated automatically, so no action is required on their end. However, users who run self-managed installations will need to patch up, as well.

Get Incogni at 55% off with code TECHRADAR

Get Incogni at 55% off with code TECHRADAR
Remove your personal information from the internet with ease. Incogni protects your online
identity and reduces unwanted robocalls and spam emails.

Preferred partner (What does this mean?

View Deal

Mitigating and patching

"We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible," GitLab said.

The two critical severity flaws are tracked as CVE-2025-25291 and CVE-2025-25292. They were both discovered in the ruby-saml library, which is used for SAML Single Sign-On (SSO) authentication at the instance or group level. An authenticated attacker, with access to a valid signed SAML document, can impersonate another user with the same SAML Identity Provider (IdP) environment, and thus gain access to their account.

This, in turn, could lead to data exfiltration, privilege escalation, and more.

Users who cannot apply the patch immediately should mitigate the risk by making sure all users on GitLab self-managed instances have 2FA set up (2FA at the identity provider level does not help). They should also disable the SAML two-factor bypass option, and should request admin approval for auto-created users.

GitLab stressed that these should only be seen as temporary mitigations, and that the only way to permanently address the issue is to apply the patch.

GitHub says its platform is not affected by this discovery, since it stopped using the ruby-saml library more than a decade ago,, BleepingComputer found.

"GitHub doesn't currently use ruby-saml for authentication, but began evaluating the use of the library with the intention of using an open source library for SAML authentication once more," GitHub said.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Shadowed hands on a digital background reaching for a login prompt.
This worrying Git flaw could lead to users leaking credentials
Representational image depecting cybersecurity protection
OpenSSH vulnerabilities could pose huge threat to businesses everywhere
A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Veeam backup software has a serious security flaw - here's how to stay safe
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Cisco patches critical security issues, so update now
Representational image depecting cybersecurity protection
Ivanti reveals major security update, so make sure you're protected
Best free Linux firewalls
SonicWall tells admins to patch worrying SSLVPN flaw immediately
Latest in Security
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Code Skull
US government warns Medusa ransomware has hit hundreds of critical infrastructure targets
An American flag flying outside the US Capitol building against a blue sky
The FCC is creating a security council to bolster US defenses against cyberattacks
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Latest in News
Jason Sudeikis' Ted Lasso pointing at someone in Ted Lasso season 2
Believe it, baby: Ted Lasso season 4 is officially in development for Apple TV+ and Jason Sudeikis will reprise his role as the titular soccer coach
Quordle on a smartphone held in a hand
Quordle hints and answers for Saturday, March 15 (game #1146)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Saturday, March 15 (game #377)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Saturday, March 15 (game #643)
Rainbow Six Siege X promotional art.
The Tom Clancy's Rainbow Six Siege X 6v6 mode might finally pull me away from Black Ops 6
A close up of the new web version of Apple Music Classical
Apple Music Classical is now available on the web, but its Mac app is still nowhere in sight
More about security
China

Volt Typhoon threat group had access to American utility networks for the best part of a year
Code Skull

US government warns Medusa ransomware has hit hundreds of critical infrastructure targets
Racks of servers inside a data center.

Modernizing data centers: an efficient path forward
See more latest
Most Popular
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Saturday, March 15 (game #377)
A collage of Moana in Moana 2, Michelle in The Electric State, and Moiraine in The Wheel of Time season 3
7 new movies and TV shows to stream on Netflix, Prime Video, Max, and more this weekend (March 14)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Saturday, March 15 (game #643)
Quordle on a smartphone held in a hand
Quordle hints and answers for Saturday, March 15 (game #1146)
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Jason Sudeikis' Ted Lasso pointing at someone in Ted Lasso season 2
Believe it, baby: Ted Lasso season 4 is officially in development for Apple TV+ and Jason Sudeikis will reprise his role as the titular soccer coach
Code Skull
US government warns Medusa ransomware has hit hundreds of critical infrastructure targets
A close up of the new web version of Apple Music Classical
Apple Music Classical is now available on the web, but its Mac app is still nowhere in sight
Silent Hill f
Silent Hill f will present players with 'a beautiful yet terrifying choice', and I can't wait to see what it is
Rainbow Six Siege X promotional art.
The Tom Clancy's Rainbow Six Siege X 6v6 mode might finally pull me away from Black Ops 6