URGENT UPDATE: GitLab has just announced critical security patches to address multiple vulnerabilities that could expose sensitive data and compromise security. Organizations running GitLab’s Community Edition (CE) and Enterprise Edition (EE) must upgrade to versions 18.5.2, 18.4.4, and 18.3.6 immediately to protect their systems.
The most alarming issue involves a prompt injection vulnerability in GitLab Duo’s code review feature. This flaw allows attackers to embed harmful instructions in merge request comments, potentially leading to the exposure of confidential information. GitLab has identified this vulnerability in Enterprise Edition versions 17.9 and later, putting many development environments at risk, particularly those utilizing AI-assisted workflows.
Among the numerous patched vulnerabilities, notable ones include CVE-2025-11224, a high-severity cross-site scripting issue affecting the Kubernetes proxy, and CVE-2025-11865, which allows users to maliciously remove AI workflows belonging to others. These vulnerabilities could be exploited easily, with some requiring no advanced privileges or direct access to sensitive systems.
GitLab has emphasized that self-managed customers must take immediate action, as their cloud-hosted services have already been updated. The company warns that some updates may require database migrations, leading to potential downtime for single-node installations. However, multi-node environments can achieve near-zero downtime by following GitLab’s recommended upgrade procedures.
As cyber threats evolve, organizations must not only apply these crucial updates but also enhance their security protocols. GitLab suggests implementing additional measures such as:
– Limiting access to GitLab Duo and AI features to trusted users.
– Enforcing strict role-based access controls (RBAC) and branch protection rules.
– Monitoring unusual activity in GraphQL and tracking user behavior anomalies.
– Deploying web application firewalls (WAF) to block malicious scripts.
The announcement comes at a critical juncture when threat actors are increasingly leveraging AI to conduct sophisticated attacks. GitLab’s latest security release highlights the urgent need for robust security practices, especially as traditional vulnerabilities merge with new AI-related risks.
The growing complexity of the software development ecosystem necessitates a stronger focus on zero-trust security principles. Organizations must act swiftly to secure their environments against both legacy issues and emerging AI threats.
Stay informed and protect your systems. For more details on the update, visit GitLab’s official security release page. The time to act is NOW.
