CVE-2025-11224
Published: 14 January 2026
Summary
CVE-2025-11224 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gitlab Gitlab. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 10.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the improper input validation in GitLab's Kubernetes proxy functionality that enables injection of stored XSS payloads.
Prevents execution of injected malicious payloads as XSS in browsers of users viewing affected Kubernetes proxy interfaces.
Ensures timely flaw remediation by upgrading GitLab to patched versions (18.3.6, 18.4.4, 18.5.2) to eliminate the stored XSS vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables browser session hijacking via cookie theft and victim-context actions in the GitLab web interface.
NVD Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the…
more
Kubernetes proxy functionality.
Deeper analysisAI
CVE-2025-11224 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, stemming from improper input validation in GitLab's Kubernetes proxy functionality. It affects all versions of GitLab Community Edition (CE) and Enterprise Edition (EE) from 15.10 prior to 18.3.6, 18.4 prior to 18.4.4, and 18.5 prior to 18.5.2. The issue has a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to its potential for confidentially and integrity impacts across a changed scope.
An authenticated user with low privileges can exploit this vulnerability by injecting malicious payloads through the Kubernetes proxy, which are then stored and executed as XSS in the browsers of other users who interact with the affected interface. Exploitation requires high attack complexity and user interaction, such as clicking a malicious link or viewing proxied content, but successful attacks can lead to high confidentiality and integrity violations, potentially allowing attackers to steal session cookies, perform actions on behalf of victims, or manipulate GitLab's web interface.
GitLab has remediated the vulnerability with patches released in versions 18.3.6, 18.4.4, and 18.5.2, as detailed in the patch release notes for 18.5.2. Administrators should upgrade to these fixed versions immediately. Additional details are available in the associated GitLab issue tracker (gitlab.com/gitlab-org/gitlab/-/issues/573223) and the originating HackerOne disclosure report (hackerone.com/reports/3277291).
Details
- CWE(s)