- GitLab releases patch for nine flaws, including two critical severity ones
- The critical flaws allowed threat actors to bypass authentication and could lead to data exfiltration
- Patch is available now, with GitLab urging users to apply it
GitLab has patched nine vulnerabilities affecting its Community Edition (CE) and Enterprise Edition (EE) solutions, and urged users to apply the patch immediately.
In a security advisory published, GitLab said that among the nine flaws are two critical severity ones, which allow threat actors to bypass authentication.
Users are urged to bring their GitLab CE/EE to versions 17.7.7, 17.8.5, and 17.9.2, as soon as possible. GitLab.com is already patched, and GitLab Dedicated customers will be updated automatically, so no action is required on their end. However, users who run self-managed installations will need to patch up, as well.
Mitigating and patching
“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible,” GitLab said.
The two critical severity flaws are tracked as CVE-2025-25291 and CVE-2025-25292. They were both discovered in the ruby-saml library, which is used for SAML Single Sign-On (SSO) authentication at the instance or group level. An authenticated attacker, with access to a valid signed SAML document, can impersonate another user with the same SAML Identity Provider (IdP) environment, and thus gain access to their account.
This, in turn, could lead to data exfiltration, privilege escalation, and more.
Users who cannot apply the patch immediately should mitigate the risk by making sure all users on GitLab self-managed instances have 2FA set up (2FA at the identity provider level does not help). They should also disable the SAML two-factor bypass option, and should request admin approval for auto-created users.
GitLab stressed that these should only be seen as temporary mitigations, and that the only way to permanently address the issue is to apply the patch.
GitHub says its platform is not affected by this discovery, since it stopped using the ruby-saml library more than a decade ago,, BleepingComputer found.
“GitHub doesn’t currently use ruby-saml for authentication, but began evaluating the use of the library with the intention of using an open source library for SAML authentication once more,” GitHub said.
Via BleepingComputer
Leave a comment