GitLab has fixed several concerning security issues.
Among the deficiencies, two critical severity issues were found.
GitLab has released a patch aimed at fixing nine vulnerabilities in its Community Edition (CE) and Enterprise Edition (EE) solutions, advising users to apply this update immediately. In the security advisory published, it is stated that among the vulnerabilities are two considered critical severity, which allow malicious actors to bypass authentication.
Users are advised to update their GitLab CE/EE versions to versions 17.7.7, 17.8.5, and 17.9.2 as soon as possible. Instances of GitLab.com already have the patch implemented, and customers of GitLab Dedicated will receive the update automatically, without the need for any action. On the other hand, users with self-managed installations will need to apply the patch themselves.
GitLab emphasized the urgency of this update, indicating that all installations running affected versions must be updated to the latest available version as soon as possible. The two critical vulnerabilities are identified as CVE-2025-25291 and CVE-2025-25292; both were discovered in the ruby-saml library, used for SAML Single Sign-On (SSO) authentication at the instance or group level. An authenticated attacker who has access to a valid signed SAML document can impersonate another user within the same Identity Provider (IdP) environment, thus gaining access to their account.
This situation can lead to data exfiltration, privilege escalation, and other serious issues. For those users who cannot apply the patch immediately, it is recommended to mitigate risks by ensuring that all users in self-managed GitLab instances have 2FA enabled, as IdP-level 2FA does not provide sufficient protection. Additionally, it is advised to disable the SAML two-factor bypass option and require administrative approval for automatically created users.
The aforementioned measures should be seen only as temporary solutions, as the only way to address this issue definitively is by applying the corresponding patch. For its part, GitHub has stated that its platform is not affected by this discovery, as it stopped using the ruby-saml library more than ten years ago.
