GitLab patches critical authentication bypass vulnerabilities

• gitlab
• authbypass
• patchupdate
• samlbug
• rcefix
• securityalert
• permalink

 Facebook |  X/Twitter |  LinkedIn |  Reddit |  Email |  Link

GitLab released security updates for Community Edition (CE) and Enterprise Edition (EE), fixing nine vulnerabilities, among which two critical severity ruby-saml library authentication bypass flaws.

All flaws were addressed in GitLab CE/EE versions 17.7.7, 17.8.5, and 17.9.2, while all versions before those are vulnerable.

GitLab.com is already patched, and GitLab Dedicated customers will be updated automatically, but users who maintain self-managed installations on their own infrastructure will need to apply the updates manually.

"We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible," warns the bulletin.

The two critical flaws GitLab addressed this time are CVE-2025-25291 and CVE-2025-25292, both in the ruby-saml library, which is used for SAML Single Sign-On (SSO) authentication at the instance or group level.

These vulnerabilities allow an authenticated attacker with access to a valid signed SAML document to impersonate another user within the same SAML Identity Provider (IdP) environment.

This means an attacker could gain unauthorized access to another user's account, leading to potential data breaches, privilege escalation, and other security risks.

GitHub discovered the ruby-saml bugs and has published a technical deep dive into the two flaws, noting that its platform hasn't been impacted as the use of the ruby-saml library stopped in 2014.

"GitHub doesn't currently use ruby-saml for authentication, but began evaluating the use of the library with the intention of using an open source library for SAML authentication once more," explains GitHub's writeup.

"This library is, however, used in other popular projects and products. We discovered an exploitable instance of this vulnerability in GitLab, and have notified their security team so they can take necessary actions to protect their users against potential attacks."

Of the rest of the issues fixed by GitLab, one that stands out is a high-severity remote code execution issue tracked under CVE-2025-27407.

The flaw allows an attacker-controlled authenticated user to exploit the Direct Transfer feature, which is disabled by default, to achieve remote code execution.

The remaining issues are low to medium-severity problems concerning the denial of service (DoS), credential exposure, and shell code injection, all exploitable with elevated privileges.

GitLab users who cannot upgrade immediately to a safe version are advised to apply the following mitigations in the meantime:

• Ensure all users on the GitLab self-managed instance have 2FA enabled. Note that MFA at the identity provider level does not mitigate the problem.
  
  
• Disable the SAML two-factor bypass option.
  
  
• Request admin approval for auto-created users by setting 'gitlab_rails['omniauth_block_auto_created_users'] = true'

While these steps significantly reduce the risk of exploitation, they should only be treated as temporary mitigation measures until upgrading to GitLab 17.9.2, 17.8.5, or 17.7.7 is practically possible.

To update GitLab, head to the official downloads hub. GitLab Runner installation instructions are available here.

Comments: