Cyber Resilience

CVE-2025-0555

High

Published: 03 March 2025

Published
03 March 2025
Modified
07 March 2025
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0005 15.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0555 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gitlab Gitlab. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 15.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-0555 is a Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, in GitLab Enterprise Edition (GitLab-EE). It affects all versions from 16.6 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1. Published on 2025-03-03, the flaw enables an attacker to bypass security controls and execute arbitrary scripts in a user's browser under specific conditions. The vulnerability carries a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to its potential for confidentially and integrity impacts.

An attacker requires low privileges (PR:L), such as access as a project member or similar role within the affected GitLab instance, to exploit this vulnerability over the network (AV:N). Exploitation demands high attack complexity (AC:H) and user interaction (UI:R), typically tricking a victim into performing an action like visiting a crafted page or interacting with malicious content. Upon success, the attack changes scope (S:C), allowing arbitrary script execution in the victim's browser, which can lead to high confidentiality (C:H) and integrity (I:H) impacts, such as session hijacking or data exfiltration, with no availability disruption (A:N).

Mitigation requires upgrading to patched GitLab-EE versions 17.7.6, 17.8.4, 17.9.1, or later. Additional details are available in the GitLab issue tracker at https://gitlab.com/gitlab-org/gitlab/-/issues/514004 and the HackerOne disclosure report at https://hackerone.com/reports/2939833.

EU & UK References

Vulnerability details

A Cross Site Scripting (XSS) vulnerability in GitLab-EE affecting all versions from 16.6 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1 allows an attacker to bypass security controls and execute arbitrary scripts in a users browser…

more

under specific conditions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

XSS vulnerability directly enables arbitrary JavaScript execution in the victim's browser and facilitates session hijacking as described in the impacts.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-13761Same product: Gitlab Gitlab
CVE-2026-1090Same product: Gitlab Gitlab
CVE-2025-11224Same product: Gitlab Gitlab
CVE-2026-7481Same product: Gitlab Gitlab
CVE-2026-6073Same product: Gitlab Gitlab
CVE-2026-7377Same product: Gitlab Gitlab
CVE-2025-0475Same product: Gitlab Gitlab
CVE-2025-14560Same product: Gitlab Gitlab
CVE-2025-2255Same product: Gitlab Gitlab
CVE-2025-6948Same product: Gitlab Gitlab

Affected Assets

gitlab
gitlab
17.9.0 · 16.6.0 — 17.7.6 · 17.8.0 — 17.8.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Information Output Filtering directly prevents XSS by encoding or sanitizing output to web pages, blocking arbitrary script execution in users' browsers.

prevent

Information Input Validation sanitizes user inputs to prevent malicious script injection that bypasses GitLab's security controls.

prevent

Flaw Remediation ensures timely patching of the specific XSS vulnerability in GitLab-EE versions, as recommended in the advisory.

References