How to fix EUVD-2025-27718?

Within 24 hours: Identify all GitLab EE instances and their versions; assess whether affected versions (16.6-17.9.6, 17.10.0-17.10.4, 17.11.0) are in use and internet-facing. Within 7 days: Implement WAF rules to block suspicious XSS payloads targeting GitLab; restrict GitLab access to corporate networks via VPN or IP allowlisting; disable or restrict user-generated content features if operationally feasible. Within 30 days: Plan immediate upgrade to patched versions (17.9.7+, 17.10.5+, 17.11.1+) as patches become available; conduct a security audit of GitLab configurations and user activity logs for exploitation signs.

Is Gitlab affected by EUVD-2025-27718?

GitLab EE instances are vulnerable to cross-site scripting (XSS) and content security policy bypass attacks that could allow attackers to steal user sessions, credentials, or perform unauthorized actions within affected users' browsers.

EUVD-2025-27718

| CVE-2025-2443 HIGH

2025-06-20 [email protected]

8.7

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 15, 2026 - 00:19 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 00:19 euvd

EUVD-2025-27718

CVE Published

Jun 20, 2025 - 18:15 nvd

HIGH 8.7

Description

An issue has been discovered in GitLab EE that allows for cross-site-scripting attack and content security policy bypass in a user's browser under specific conditions, affecting all versions from 16.6 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1.

Analysis

A security vulnerability in all (CVSS 8.7) that allows for cross-site-scripting attack and content security policy bypass. High severity vulnerability requiring prompt remediation.

Technical Context

CWE-79 (Cross-site Scripting). CVSS 8.7 indicates high severity. Affects all.

Affected Products

['all']

Remediation

Monitor vendor channels for patch availability.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +44

POC: 0

Vendor Status

Ubuntu

Priority: Medium

gitlab

Release	Status	Version
noble	DNE	-
xenial	ignored	-
jammy	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	not-affected	debian: Specific to EE

Debian

gitlab

Release	Status	Fixed Version	Urgency
sid	fixed	17.6.5-19	-
(unstable)	not-affected	-	-

EUVD-2025-27718 vulnerability details – vuln.today

Back

EUVD-2025-27718

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

EUVD-2025-27718

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code