WARNING: CRITICAL AND HIGH SEVERITY VULNERABILITIES IN GITLAB'S COMMUNITY AND ENTERPRISE EDITIONS CAN LEAD TO REMOTE CODE EXECUTION AND AUTHENTICATION BYPASS, PATCH IMMEDIATELY!
CVE-2025-27407: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2025-25291: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
CVE-2025-25292: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
Sources
https://nvd.nist.gov/vuln/detail/CVE-2025-27407
https://nvd.nist.gov/vuln/detail/CVE-2025-25291
https://nvd.nist.gov/vuln/detail/CVE-2025-25292
Risks
A 9.0 critical vulnerability (CVE-2025-27407) affects GitLab's Community (CE) and Enterprise (EE) editions. If left unpatched, affected instances are vulnerable to remote code execution (RCE) attacks, potentially impacting the confidentiality, integrity, and availability of data and systems.
The same GitLab software contains two 8.8 high-severity vulnerabilities (CVE-2025-25291 and CVE- 2025-25292) that make unpatched instances vulnerable to authentication bypass attacks, which could impact the confidentiality and integrity of data and systems.
No information is available that the vulnerabilities above are actively exploited.
CVE-2025-27407, CVE-2025-25291, and CVE-2025-25292 are fixed via updates to versions 17.9.2, 17.8.5, and 17.7.7 of the affected GitLab software. GitLab also included fixes for other low—and medium- severity vulnerabilities: CVE-2024-7296, CVE-2024-8402, CVE-2025-0652, CVE-2024-12380, CVE- 2024-13054, and CVE-2025-1257.
Description
CVE-2025-27407 is an "Improper Control of Generation of Code" type of vulnerability (also known as "Code Injection") in graphql-ruby, the Ruby implementation of GraphQL, and could allow an attacker- controlled authenticated user account attempting to transfer a maliciously crafted project via the Direct Transfer feature to execute code remotely, under certain circumstances. Defenders who cannot patch immediately can remove the risk of exploitation by disabling Direct Transfer.
CVE-2025-25291 and CVE-2025-25292 are "Improper Verification of Cryptographic Signature" and "Interpretation Conflict" type of vulnerabilities in ruby-saml, which provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Since the ReXML and Nokogiri parsers can generate different document structures from the same XML input, an attacker could be able to execute a Signature Wrapping attack that could lead to authentication bypass.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift responsein case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.