Cyber Resilience

CVE-2025-0475

High

Published: 03 March 2025

Published
03 March 2025
Modified
07 March 2025
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0115 78.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0475 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gitlab Gitlab. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked in the top 21.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-0475 is a cross-site scripting vulnerability (CWE-79) in GitLab Community Edition and Enterprise Edition. It affects all versions from 15.10 up to but not including 17.7.6, 17.8 up to but not including 17.8.4, and 17.9 up to but not including 17.9.1. The flaw resides in a proxy feature that can permit unintended content rendering under specific circumstances, producing reflected or stored XSS.

An attacker with low-privileged authenticated access can trigger the issue over the network with minimal complexity and user interaction from a victim. Successful exploitation yields changed scope and high impact on confidentiality and integrity, allowing arbitrary script execution that can compromise other users' sessions or data within the affected GitLab instance.

The published version constraints indicate that mitigation requires upgrading to 17.7.6, 17.8.4, or 17.9.1 or later. The associated EPSS score has remained flat at 0.0115 with no material increase since disclosure.

EU & UK References

Vulnerability details

An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1. A proxy feature could potentially allow unintended content rendering leading to XSS under specific circumstances.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

XSS in web proxy directly enables browser session hijacking and theft of web session cookies via malicious script execution in victim context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-11224Same product: Gitlab Gitlab
CVE-2026-7481Same product: Gitlab Gitlab
CVE-2025-6948Same product: Gitlab Gitlab
CVE-2025-0376Same product: Gitlab Gitlab
CVE-2025-0555Same product: Gitlab Gitlab
CVE-2025-12716Same product: Gitlab Gitlab
CVE-2025-13761Same product: Gitlab Gitlab
CVE-2025-14560Same product: Gitlab Gitlab
CVE-2025-2255Same product: Gitlab Gitlab
CVE-2026-0752Same product: Gitlab Gitlab

Affected Assets

gitlab
gitlab
17.9.0 · 15.10.0 — 17.7.6 · 15.10.0 — 17.7.6 · 17.8.0 — 17.8.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Information output filtering directly prevents XSS by ensuring unintended content from the GitLab proxy feature is sanitized or encoded before rendering.

prevent

Information input validation rejects or sanitizes malicious payloads crafted for the proxy feature, blocking XSS exploitation.

prevent

Flaw remediation mandates timely patching of the GitLab proxy vulnerability, eliminating the root cause of unintended content rendering.

References