Cyber Resilience

CVE-2025-9222

HighUpdated

Published: 09 January 2026

Published
09 January 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0035 27.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-9222 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gitlab Gitlab. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-9222 is a stored cross-site scripting vulnerability (CWE-79) in GitLab Community Edition (CE) and Enterprise Edition (EE). It affects all versions from 18.2.2 prior to 18.5.5, 18.6 prior to 18.6.3, and 18.7 prior to 18.7.1. The flaw stems from inadequate sanitization in GitLab Flavored Markdown, enabling injection of malicious scripts. The vulnerability carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and potential for cross-origin impacts.

An authenticated user with low privileges (PR:L) can exploit this over the network (AV:N) by submitting specially crafted GitLab Flavored Markdown containing XSS payloads. The attack requires user interaction (UI:R) from victims viewing the stored content, such as in issues, merge requests, or wikis. Successful exploitation executes scripts in the victim's browser context with changed scope (S:C), potentially compromising high confidentiality (C:H) and integrity (I:H) by stealing session data, performing actions on behalf of users, or escalating access within the GitLab instance.

GitLab has remediated the issue through patches, including the release of version 18.7.1. Organizations should upgrade to GitLab 18.5.5, 18.6.3, 18.7.1, or later to mitigate the vulnerability. Further details on the fix are documented in GitLab's patch release notes, the associated issue tracker entry, and the HackerOne disclosure report.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stored XSS in public-facing GitLab web app directly enables exploitation of the application over the network to execute attacker-controlled scripts in victim browsers.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-14560Same product: Gitlab Gitlab
CVE-2024-10383Same product: Gitlab Gitlab
CVE-2025-6948Same product: Gitlab Gitlab
CVE-2025-0376Same product: Gitlab Gitlab
CVE-2026-0752Same product: Gitlab Gitlab
CVE-2025-2255Same product: Gitlab Gitlab
CVE-2026-5262Same product: Gitlab Gitlab
CVE-2025-0314Same product: Gitlab Gitlab
CVE-2025-0811Same product: Gitlab Gitlab
CVE-2025-13761Same product: Gitlab Gitlab

Affected Assets

gitlab
gitlab
18.7.0 · 18.2.2 — 18.5.5 · 18.2.2 — 18.5.5 · 18.6.0 — 18.6.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Filters rendered output from GitLab Flavored Markdown to block execution of injected XSS payloads when viewed by victims.

prevent

Validates and sanitizes user-submitted Markdown inputs to prevent injection of malicious scripts by authenticated users.

prevent

Requires timely remediation through patching of the specific sanitization flaw in affected GitLab versions.

References