Executive Summary

GitLab has rolled out significant security updates for versions 17.9.2, 17.8.5, and 17.7.7 to rectify various vulnerabilities, notably critical authentication bypasses in the SAML single sign-on (SSO) authentication mechanism. This document outlines these vulnerabilities and provides mitigation strategies to safeguard against potential breaches.

Technical Information

The latest GitLab patch addresses several vulnerabilities, the most critical being CVE-2025-25291 and CVE-2025-25292, which involve authentication bypass issues in the SAML SSO mechanism. These vulnerabilities are rooted in the ruby-saml library used by GitLab and stem from discrepancies in XML parsing by ReXML and Nokogiri, enabling Signature Wrapping attacks. An attacker could authenticate as another user with a valid signed SAML document. Mitigation strategies include enabling two-factor authentication, disabling SAML two-factor bypass, and mandating admin approval for new users.

Another significant vulnerability, CVE-2025-27407, is a high-severity remote code execution flaw in the Ruby graphql library, which can be exploited via the Direct Transfer feature when a malicious project is transferred. Users are advised to disable the Direct Transfer feature for self-managed instances to prevent exploitation.

The patch also addresses CVE-2024-13054, a medium-severity denial-of-service vulnerability that could trigger a system reboot under specific conditions. Applying the provided patch can mitigate this issue. CVE-2024-12380 involves potential credentials disclosure through user inputs in repository mirroring settings. Updating to the latest version will prevent sensitive information exposure.

CVE-2025-1257 pertains to a medium-severity denial-of-service vulnerability in Approval Rules, where manipulating API inputs could cause a denial-of-service condition. CVE-2025-0652 is another medium-severity flaw that could result in unauthorized access to internal notes. Applying the patch will restrict unauthorized access.

Low-severity vulnerabilities include CVE-2024-8402, which allows shell code injection via Google Cloud IAM integration, and CVE-2024-7296, where a user with custom permissions could approve membership requests beyond limits. Both vulnerabilities require updating to the latest version to mitigate risks.

Exploitation in the Wild

Currently, there are no reported cases of exploitation or available exploits for CVE-2025-25291, CVE-2025-25292, or CVE-2025-27407 in the wild, and no Advanced Persistent Threat (APT) groups have been identified leveraging these vulnerabilities.

APT Groups using this vulnerability

There are no confirmed reports of APT groups exploiting these vulnerabilities at this time, which underscores the importance of timely updates and preventive measures to mitigate potential future threats.

Affected Product Versions

The vulnerabilities affect GitLab Community Edition (CE) and Enterprise Edition (EE) versions prior to 17.9.2, 17.8.5, and 17.7.7. Users on these versions are strongly encouraged to update to the latest release.

Workaround and Mitigation

Immediate updating to the latest GitLab version is highly recommended to neutralize these vulnerabilities. For those unable to update immediately, interim mitigation strategies include enabling two-factor authentication, disabling SAML two-factor bypass, requiring admin approval for new users, and disabling the Direct Transfer feature for self-managed instances.

References

For detailed information regarding the GitLab release and vulnerabilities, please refer to the following resources: - GitLab Official Release Notes: https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released/ - SecurityOnline.info Article: https://securityonline.info/gitlab-urgently-patches-critical-authentication-bypass-flaws-cve-2025-25291-cve-2025-25292/

Rescana is here for you

Rescana is committed to assisting organizations in managing third-party risks with our robust Third Party Risk Management (TPRM) platform. We are happy to address any questions you may have about this report or other cybersecurity concerns. Please feel free to reach out to us at ops@rescana.com.