GitLab Patch Release: 18.1.2, 18.0.4, 17.11.6

Today, we are releasing versions 18.1.2, 18.0.4, 17.11.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

Title	Severity
Cross-site scripting issue impacts GitLab CE/EE	High
Incorrect authorization issue impacts GitLab CE/EE	Medium
Incorrect authorization issue impacts GitLab EE	Low
Incorrect authorization issue impacts GitLab EE	Low

CVE-2025-6948 - Cross-site scripting issue impacts GitLab CE/EE

GitLab has remediated an issue that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content.

Impacted Versions: all versions from 17.11 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2.
CVSS: 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-3396 - Improper authorization issue impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed authenticated project owners to bypass group-level forking restrictions by manipulating API requests.

Impacted Versions: all versions from 13.3 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2.
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-4972 - Improper authorization issue impacts GitLab EE

GitLab has remediated an issue that could have allowed authenticated users with invitation privileges to bypass group-level user invitation restrictions by manipulating group invitation functionality.

Impacted Versions: all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2.
CVSS: 2.7(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)

Thanks mateuszek for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-6168 - Improper authorization issue impacts GitLab EE

GitLab has remediated an issue that could have allowed authenticated maintainers to bypass group-level user invitation restrictions by sending crafted API requests.

Impacted Versions: all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2.
CVSS: 2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)

Thanks hunter0xp7 for reporting this vulnerability through our HackerOne bug bounty program.

rsync security updates

rsync has been updated to version 3.4.1 which contains fixes for security vulnerabilities including CVE-2024-12084 and CVE-2024-12088.

Bug fixes

18.1.2

• Backport Exporter 15.5.0 to 18.1 stable
• update gitlab-org/container-registry to v4.23.2-gitlab
• Merge branch '550037-set-static-glab-version-for-release-qa-tests' into 'master'
• Quarantine a flaky test
• Fix code owner validation for roles
• Enable using glab for CI release
• Remove Sidekiq shutdown delay in ConcurrencyLimitSampler
• Refactor blob commit info section (18.1 backport)
• Backport 'Upload cached frontend stable packages' to 18-1-stable-ee
• [Backport 18.1] Reintroduce body for redirect responses
• Show both author and committer in last commit (18.1 backport)
• Fix creation of PATs using UI on relative installations
• [Backport] Zoekt: Only enable global search when nodes are online
• Fix title on empty projects (18.1 backport)
• Rake Doctor Secrets: Fix WebHook error
• Fix comment typos to trigger asset compilation
• Fix E2E test service_ping_default_enabled_spec.rb
• Fix catalog data loader memoization problem in specs
• Backport "Disable the edit button, instead of not rendering it" to 18.1
• Add a redirect status as a success backport to 18.1
• Make sure to load correct loader on every request
• Merge branch 'dattang/build-omnibus-for-release-environment' into '18-1-stable-ee'
• Backport 'dattang/export-release-environment-package-name' into '18-1-stable-ee'
• Quarantine a flaky test
• Backport: 'revert-grpc-1.72' into 18-1
• Merge branch 'jk/cache-assets-for-stable-branch' into 'master'
• Fix the owner for sequence ci_builds_id_seq
• Backport GitLab Exporter 15.5.0 to 18.1 stable
• Merge branch 'dattang/upload-package-for-release-environment' into '18-1-stable'
• Merge branch 'dattang/build-release-environment-package' into '18-1-stable'
• Merge branch 'dattang/fix-release-environment-package-name' into '18-1-stable'
• Stable branch builds: Fix versions parsing

18.0.4

• update gitlab-org/container-registry to v4.21.4-gitlab
• Use 1.59.2 version of glab in release_with_glab_spec.rb
• Quarantine a flaky test
• Remove checksum length expectation from the Gitlab::Git::Repository#checksum
• Fix Protected Tags show page
• Fix code owner validation for roles
• Remove Sidekiq shutdown delay in ConcurrencyLimitSampler
• Refactor blob commit info section (18.0 backport)
• Backport 'Upload cached frontend stable packages' to 18-0-stable-ee
• [Backport 18.0] Reintroduce body for redirect responses
• Show both author and committer in last commit (18.0 backport)
• Backport "Add a spinner for a loading elipsis menu" to 18.0
• Fix title on empty projects (18.0 backport)
• No-op ValidateCiBuildNeedsProjectIdNotNull
• Fix comment typos to trigger asset compilation
• [Backport 18.0] Fix incorrect redirect when branch doesn't include files
• Fix creation of PATs using UI on relative installations

17.11.6

• update gitlab-org/container-registry to v4.19.2-gitlab
• Use 1.59.2 version of glab in release_with_glab_spec.rb
• Quarantine a flaky test
• Remove checksum length expectation from the Gitlab::Git::Repository#checksum
• Fix code owner validation for roles
• Revert "Merge branch 'backport-fix/547265-code-owner-roles-validation-17-11'…
• Backport 'Upload cached frontend stable packages' to 17-11-stable-ee
• Fix comment typos to trigger asset compilation
• Backport 1465f38a to 17.11
• Fix incompatible Rails cache version from 7.1 to 6.1
• Fix creation of PATs using UI on relative installations
• [Backport 17.11] Fix incorrect redirect when branch doesn't include files

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.