CVE-2025-9222
Published: 09 January 2026
Summary
CVE-2025-9222 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gitlab Gitlab. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Filters rendered output from GitLab Flavored Markdown to block execution of injected XSS payloads when viewed by victims.
Validates and sanitizes user-submitted Markdown inputs to prevent injection of malicious scripts by authenticated users.
Requires timely remediation through patching of the specific sanitization flaw in affected GitLab versions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing GitLab web app directly enables exploitation of the application over the network to execute attacker-controlled scripts in victim browsers.
NVD Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown.
Deeper analysisAI
CVE-2025-9222 is a stored cross-site scripting vulnerability (CWE-79) in GitLab Community Edition (CE) and Enterprise Edition (EE). It affects all versions from 18.2.2 prior to 18.5.5, 18.6 prior to 18.6.3, and 18.7 prior to 18.7.1. The flaw stems from inadequate sanitization in GitLab Flavored Markdown, enabling injection of malicious scripts. The vulnerability carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and potential for cross-origin impacts.
An authenticated user with low privileges (PR:L) can exploit this over the network (AV:N) by submitting specially crafted GitLab Flavored Markdown containing XSS payloads. The attack requires user interaction (UI:R) from victims viewing the stored content, such as in issues, merge requests, or wikis. Successful exploitation executes scripts in the victim's browser context with changed scope (S:C), potentially compromising high confidentiality (C:H) and integrity (I:H) by stealing session data, performing actions on behalf of users, or escalating access within the GitLab instance.
GitLab has remediated the issue through patches, including the release of version 18.7.1. Organizations should upgrade to GitLab 18.5.5, 18.6.3, 18.7.1, or later to mitigate the vulnerability. Further details on the fix are documented in GitLab's patch release notes, the associated issue tracker entry, and the HackerOne disclosure report.
Details
- CWE(s)