Cyber Resilience

CVE-2025-6948

High

Published: 10 July 2025

Published
10 July 2025
Modified
25 July 2025
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0020 42.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-6948 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gitlab Gitlab. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-6948 is a vulnerability discovered in GitLab Community Edition (CE) and Enterprise Edition (EE), affecting all versions from 17.11 prior to 17.11.6, 18.0 prior to 18.0.4, and 18.1 prior to 18.1.2. The flaw enables an attacker, under certain conditions, to inject malicious content and execute actions on behalf of other users. It is associated with CWE-79, which pertains to cross-site scripting.

The vulnerability has a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating network accessibility, low attack complexity, requirement for low privileges and user interaction, changed scope, high confidentiality and integrity impacts, and no availability impact. An authenticated attacker with low privileges can exploit it by tricking a victim user into interacting with injected malicious content, such as via a crafted link or payload, thereby impersonating the victim to access sensitive data or perform unauthorized actions on their behalf.

Advisories recommend upgrading to patched versions 17.11.6, 18.0.4, or 18.1.2 to mitigate the issue. Additional details on the vulnerability and resolution are documented in the GitLab issue tracker at https://gitlab.com/gitlab-org/gitlab/-/issues/552616 and the HackerOne report at https://hackerone.com/reports/3227316.

EU & UK References

Vulnerability details

An issue has been discovered in GitLab CE/EE affecting all versions from 17.11 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2 that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by…

more

injecting malicious content.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

XSS (CWE-79) in public-facing GitLab enables injection of malicious scripts to hijack sessions and impersonate users via crafted links/payloads.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-0376Same product: Gitlab Gitlab
CVE-2025-13761Same product: Gitlab Gitlab
CVE-2025-9222Same product: Gitlab Gitlab
CVE-2025-11224Same product: Gitlab Gitlab
CVE-2026-7481Same product: Gitlab Gitlab
CVE-2025-0475Same product: Gitlab Gitlab
CVE-2025-14560Same product: Gitlab Gitlab
CVE-2025-2255Same product: Gitlab Gitlab
CVE-2026-0752Same product: Gitlab Gitlab
CVE-2025-0314Same product: Gitlab Gitlab

Affected Assets

gitlab
gitlab
17.11.0 — 17.11.6 · 17.11.0 — 17.11.6 · 18.0.0 — 18.0.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 mandates identification, prioritization, and remediation of flaws like this GitLab XSS vulnerability through timely patching to versions such as 17.11.6.

prevent

SI-10 requires validation of information inputs to block injection of malicious content that enables XSS execution on behalf of users.

prevent

SI-15 enforces output filtering to prevent injected malicious scripts from executing in victims' browsers and performing unauthorized actions.

References