CVE-2025-0475 HIGH

CVE-2025-0475: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

Vendor Gitlab
Product GitLab
Weakness CWE-79 · XSS
Published March 3, 2025
Last update March 3, 2025
View on NVD All CVEs

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1. A proxy feature could potentially allow unintended content rendering leading to XSS under specific circumstances.

Key dates

02Disclosure timeline

March 3, 2025 CVE published
March 3, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-47011 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2025-31636 WordPress WP Post Modules for Elementor plugin <= 2.5.0 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2025-31073 WordPress Unlimited plugin <= 1.45 - Cross Site Scripting (XSS) Vulnerability CVE-2023-40205 WordPress PixTypes Plugin <= 1.4.15 is vulnerable to Cross Site Scripting (XSS) CVE-2023-51691 WordPress wpDiscuz Plugin <= 7.6.12 is vulnerable to Cross Site Scripting (XSS)