Multiple GitLab Vulnerabilities Allow Prompt Injection and Data Theft

GitLab has released a series of urgent security patches addressing multiple vulnerabilities across both its Community Edition (CE) and Enterprise Edition (EE). 

The patched releases — versions 18.5.2, 18.4.4, and 18.3.6 — resolve critical issues that could allow attackers to steal sensitive data, bypass access controls, and compromise AI-powered features. 

According to GitLab, organizations running self-managed instances should update immediately, as several vulnerabilities can be exploited without advanced privileges.

Prompt Injection Attack in GitLab Duo

The most serious flaw involves a prompt injection vulnerability in GitLab Duo’s code review functionality. 

Attackers could insert hidden malicious instructions into merge request comments, tricking the AI into revealing confidential content from private issues. 

GitLab identified the flaw in Enterprise Edition versions 17.9 and later. 

Because this attack requires no overt malware or direct access to protected resources, it poses a threat to development environments that rely on AI-assisted workflows. 

Hidden prompt injection represents an emerging class of AI-specific attacks, where input manipulation leads to data exposure rather than code execution.

Additional Vulnerabilities Across GitLab Components

GitLab’s latest security release addressed several notable vulnerabilities across its platform. 

These include CVE-2025-11224, a high-severity cross-site scripting flaw in the Kubernetes proxy that allows authenticated users to execute malicious scripts, and CVE-2025-11865, an authorization weakness that permits users to remove AI workflows belonging to others. 

The update also patches multiple information disclosure issues, such as CVE-2025-2615 and CVE-2025-7000, which allow blocked users to establish GraphQL subscriptions or view sensitive branch names, as well as CVE-2025-6171, which exposes package metadata even when a repository is restricted. 

Additional fixes include CVE-2025-11990, a path-traversal bug triggered via crafted branch names; CVE-2025-7736, an access control flaw in GitLab Pages that enables OAuth bypasses; and CVE-2025-12983, a denial-of-service issue caused by specially crafted Markdown content.

Upgrade Considerations

GitLab’s cloud-hosted services have already been updated, and no action is required for GitLab.com or GitLab Dedicated customers. 

However, self-managed customers must upgrade immediately. GitLab notes that some updates involve database migrations, and single-node installations will incur downtime. 

Multi-node environments can achieve near-zero downtime upgrades by following GitLab’s recommended procedures on their site.

Additional Security Controls to Reduce Risk

While applying GitLab’s security updates is essential, organizations should also implement additional controls to reduce risk. Some of the additional security controls include:

• Restrict GitLab Duo and other AI-assisted features to trusted users or projects until stronger prompt-injection protections mature.
• Enforce strict RBAC and branch protection rules, limiting who can create merge requests, comments, workflows, and sensitive operations.
• Strengthen logging and monitoring by tracking unusual GraphQL activity, workflow deletions, branch access patterns, and anomalous user behavior.
• Deploy WAF/XSS protections and sanitize merge request inputs to block malicious scripts, hidden prompts, and crafted payloads before they reach GitLab services.
• Harden CI/CD pipelines by isolating runners, enforcing least privilege, validating all artifacts, and scanning integrations for insecure dependencies.
• Restrict public exposure of GitLab instances through network segmentation and IP allowlisting, and regularly rotate tokens, API keys, and OAuth credentials.

As threat actors increasingly leverage AI for more tailored attacks, layered defense and continuous monitoring remain essential.

The latest GitLab security release underscores the growing complexity of securing modern development ecosystems. 

Traditional issues such as XSS, access control failures, and information leaks remain prevalent, but AI-driven features now introduce new attack surfaces. 

This evolving mix of legacy vulnerabilities and emerging AI-driven risks makes zero-trust principles more critical than ever for securing the software development lifecycle.