- Gitlab launches the patch for nine defects, including two critical severity
- Critical failures allowed threat actors to omit authentication and could lead to data exfiltration
- The patch is now available, with Gitlab urging users to apply it
Gitlab has paved nine vulnerabilities that affect its community editing solutions (EC) and Enterprise Edition (EE), and urged users to apply the patch immediately.
In a published security notice, Gitlab said that among the nine defects there are two critical gravity, which allows threat actors to avoid authentication.
Users are urged to bring their gitlab ce/EE to versions 17.7.7, 17.8.5 and 17.9.2, as soon as possible. Gitlab.com is already a paveled, and dedicated gitlab customers will be automatically updated, so no action is required. However, users who execute self -managed facilities must also patch.
Mitigate and patch
“We strongly recommend that all facilities that execute a version affected by the problems described below are updated to the latest version as soon as possible,” Gitlab said.
The two critical gravity failures are tracked as CVE-2025-25291 and CVE-2025-25292. Both were discovered in the Ruby-Saml library, which is used for the authentication of the Saml single login (SSO) at the instance level or group. An authenticated attacker, with access to a valid signed SAML document, can impede another user with the same SAML identity supplier environment (IDP) and, therefore, get access to your account.
This, in turn, could lead to the exfiltration of data, the escalation of privileges and more.
Users who cannot apply the patch should immediately mitigate the risk ensuring that all users in the self -managed instances of Gitlab have a 2FA configuration (2FA at the identity provider level does not help). They must also disable the option of derivation of two SAML factors, and must request the approval of the administrator for automatically created users.
Gitlab emphasized that these should only be seen as temporary mitigations, and that the only way to permanently address the problem is to apply the patch.
Github says that his platform is not affected by this discovery, since he stopped using the Ruby-Saml library more than a decade, found Bleepingcomter.
“Github currently does not use Ruby-Saml for authentication, but began to evaluate the use of the library with the intention of using an open source library for Saml authentication once again,” Github said.
Through Bleepingcomputer
