Jump to the main content block
  1. Home
  2. Information Security
  3. Vulnerability Alert

【Vulnerability Alert】 Two Major Security Vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE)

publish date : 2025-03-21 update date : 2025-03-21

Source: Ministry of education information & communication security contingency platform

Publication Number TACERT-ANA-2025031811035959 Publication Time 2025/03/18 11:18
Incident Type ANA-Vulnerability Alert Discovery Time 2025/03/18 11:18
Impact Level Medium  
[Subject]
【Vulnerability Alert】 Two Major Security Vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE)
[Content]
Forwarded from TWCERTCC-200-202503-00000007

GitLab is a Git-based integrated software development (DevSecOps) platform offering features like version control and CI/CD automation. Recently, GitLab released several security advisories for both the Community Edition (CE) and Enterprise Edition (EE), along with patch versions. Among these, CVE-2025-25291 (CVSS 4.x: 8.8) and CVE-2025-25292 (CVSS 4.x: 8.8) are significant security vulnerabilities. These two authentication bypass vulnerabilities exist in the ruby-saml library, allowing attackers to access a pre-authenticated and validly signed SAML file and authenticate as another valid user.

Information Sharing Level: WHITE (Information content can be publicly disclosed)
[Affected Platform]
GitLab CE/EE
[Recommended Actions]
Update GitLab CE/EE to versions 17.7.7, 17.8.5, 17.9.2 or later
[Reference]
1.Two Major Security Vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE):
https://www.twcert.org.tw/tw/cp-169-10016-550eb-1.html

2.GitLab Critical Patch Release: 17.9.2, 17.8.5, 17.7.7:
https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released/#guest-with-custom-admin-group-member-permissions-can-approve-the-users-invitation-despite-user-caps

3.CVE-2025-25291:
https://nvd.nist.gov/vuln/detail/CVE-2025-25291

4.CVE-2025-25292:
https://nvd.nist.gov/vuln/detail/CVE-2025-25292
(This notification is for informational purposes only and does not constitute a cybersecurity incident).
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
Organizer: Computer Center
Click Num:
Print