GitLab has released patches to address nine vulnerabilities affecting various installations of the Community Edition (CE) and Enterprise Edition (EE). Two of these have been classified as critical and are tracked as CVE-2025-25291 and CVE-2025-25292, each with a CVSS score of 8.8. These vulnerabilities impact GitLab’s ruby-saml component and, if exploited, could lead to authentication bypass.
GitLab is a DevOps platform offering Git-based version control, CI/CD automation, and project management features. It provides a self-hosted and cloud-based option, with Community (CE) and Enterprise (EE) editions available. With GitLab, teams can work together effectively, simplify development processes, and improve security for their software projects.
Technical Details
After moving away from ruby-saml for authentication in 2014, GitLab opted to evaluate its usage in late 2024. This decision inadvertently made GitLab a potential attack surface for these two critical vulnerabilities.
The root cause of these authentication bypass vulnerabilities in ruby-saml is due to the presence of a parser differential. Parser differentials occur when different parsers interpret the same input in different ways. The discovery of the parser differential and the two critical flaws had four stages:
- Identifying the use of two different XML parsers during code review.
- Determining whether and how a parser discrepancy could be exploited.
- Discovering an actual parsing inconsistency between the parsers in use.
- Exploiting the parser discrepancy to develop a complete attack
Exploiting these vulnerabilities is possible because it is possible to create an XML document that is seen differently by the two parsers used by ruby-saml.
Attackers with access to a single valid signature, created using the key that validates SAML responses or assertions for the targeted organization, can use it to generate their own SAML assertions. This allows them to log in as any user.
Other than these two critical vulnerabilities, GitLab has patched seven other vulnerabilities tracked as CVE-2025-27407, CVE-2024-13054, CVE-2024-12380, CVE-2025-1257, CVE-2025-0652, CVE-2024-8402, CVE-2024-7296, which are either rated medium or low.
Impact
The impact of these vulnerabilities, particularly the critical authentication bypass flaws (CVE-2025-25291 and CVE-2025-25292), is highly severe. They grant attackers full system access, which could allow them to obtain or modify sensitive data. The risk is further heightened by the attack’s low complexity.
Products Affected
The vulnerabilities affect GitLab CE/EE versions 17.9.0, 17.9.1, 17.8.0, 17.8.1, 17.8.2, 17.8.3, 17.8.4, 17.7.0, 17.7.1, 17.7.2, 17.7.3, 17.7.4, 17.7.5, 17.7.6, and below.
Solution and Mitigation
To patch the vulnerabilities, customers must upgrade to the GitLab CE/EE versions 17.7.7, 17.8.5, and 17.9.2.
For customers unable to perform the upgrade, GitLab has provided a workaround to mitigate the issue. The workaround can be done by following these steps:
- Enable GitLab two-factor authentication for all user accounts on the GitLab self-managed instance. (NOTE: Enabling identity provider multi-factor authentication does not mitigate this vulnerability)
- Do not allow the SAML two-factor bypass option in GitLab.
- Require admin approval for automatically created new users (gitlab_rails[‘omniauth_block_auto_created_users’] = true)
Instantly Fix Risks with SanerNow Patch Management
SanerNow patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. SanerNow patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.
