External risk intelligence

GitLab Unauthenticated Code Execution via Crafted Webpage in Browser

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2025-13761

GitLab is a widely used, internet-facing application platform that serves as a web-based service for development workflows. Given its role as a centralized web portal, it is commonly deployed with public internet exposure for remote team access.

Cross-site Scripting

Gitlab

18.6.0 to before 18.6.318.7.0

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

GitLab has addressed a critical vulnerability that could have allowed an unauthenticated user to execute arbitrary code on a user's browser. This was possible if a legitimate user visited a specially crafted webpage, effectively impersonating the user.

  • Unauthenticated users could run code via crafted web pages.
  • This affects widely used GitLab platforms.
  • Confirm GitLab relevance and exposure to users.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can trick a legitimate user into visiting a malicious webpage. This interaction exploits a vulnerability in GitLab, allowing the attacker to execute arbitrary code within the context of the user's browser session.

  • No authentication needed to start.
  • Triggered by user visiting a crafted page.
  • Leads to code execution in user's browser.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated user could execute arbitrary code within the context of an authenticated user's browser if the user visits a malicious webpage. This could impact the confidentiality, integrity, and availability of the system.

  • User browser session data and actions.
  • Via a crafted webpage and user interaction.
  • Potential for full account compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

Ownership for this GitLab vulnerability likely falls to the platform or application team responsible for managing the GitLab instance, in coordination with the security team for exposure assessment. The first step is to identify all deployed GitLab instances, confirm their reachability and business criticality, and then determine the accountable owner for remediation planning.

  • Platform or application owners should address.
  • Verify instance exposure and criticality first.
  • Plan coordinated updates during maintenance.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is GitLab and what is it used for?

GitLab is a comprehensive software development platform that provides tools for source code management, continuous integration, and project tracking. It serves as a centralized web portal where development teams collaborate on code, manage deployments, and coordinate workflows in a shared environment.

How does CVE-2025-13761 work?

This vulnerability is classified as CWE-79, or Cross-Site Scripting (XSS). It allows an attacker to inject and execute unauthorized code within the victim's browser session. By tricking a legitimate user into loading a specially crafted webpage, the attacker can force the victim's browser to perform actions on their behalf while they are logged into the application.

Do I need to be logged into GitLab for this to trigger?

Yes, the impact relies on the victim being an authenticated user. An attacker does not need to authenticate to set up the trap, but the malicious code executes in the context of an active, authenticated session. If a user is not logged into their GitLab instance, the browser has no session context for the malicious code to abuse.

Is my GitLab instance at risk?

Halo Surface Signal indicates this is a high-priority concern because GitLab is typically deployed as an internet-facing application to support remote teams. If your instance is accessible from the public internet, it significantly increases the likelihood that a user could be lured into visiting a malicious webpage.

When should I update my GitLab software?

You should prioritize updates immediately for any instances running versions 18.6 through 18.6.3, or version 18.7.0. Your first step is to inventory your active GitLab deployments, verify their accessibility, and coordinate with your platform team to apply the patches provided in the 18.6.3 and 18.7.1 releases.

References