GitLab Addressed Critical Authentication Bypass Vulnerabilities (CVE-2025-25291 & CVE-2025-25292)

GitLab recently released a security advisory to address nine vulnerabilities impacting various installations. Out of these nine vulnerabilities, GitLab has rated two as critical. Tracked as CVE-2025-25291 & CVE-2025-25292, the vulnerabilities may result in account takeover.

GitLab is a web-based DevOps lifecycle solution built by GitLab Inc., providing unrivaled insight and productivity across the DevOps lifecycle in a single application.

Vulnerabilities Detail

The vulnerabilities exist in the ruby-saml library. SAML is an XML-based markup language used to exchange authentication and authorization data between parties. GitLab uses the library when SAML SSO authentication is enabled at the instance or group level.

An attacker with access to a valid signed SAML document from the IdP could authenticate as another valid user within the environment’s SAML IdP.

Affected versions

The vulnerabilities affect GitLab CE/EE versions 17.9.0, 17.9.1, 17.8.0, 17.8.1, 17.8.2, 17.8.3, 17.8.4, 17.7.0, 17.7.1, 17.7.2, 17.7.3, 17.7.4, 17.7.5, 17.7.6, and below.

Mitigation

Customers must upgrade to the GitLab CE/EE versions 17.7.7, 17.8.5, and 17.9.2 to patch the vulnerabilities.

For more information, please visit the GitLab release announcement page.

Workaround

Users unable to upgrade the vulnerable GitLab instances may perform the following mitigation steps to address the flaw:

  1. Enable GitLab two-factor authentication for all user accounts on the GitLab self-managed instance.
  2. Do not allow the SAML two-factor bypass option in GitLab.
  3. Require admin approval for automatically created new users (gitlab_rails[‘omniauth_block_auto_created_users’] = true)

Qualys Detection

Qualys customers can scan their devices with QID 382943 to detect vulnerable assets.

Please follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released/#cve-2025-25291-and-cve-2025-25292-third-party-gem-ruby-saml

Leave a Reply

Your email address will not be published. Required fields are marked *