The government has issued a warning about serious security flaws in GitLab, cautioning organizations about potential risks to their systems and data.
The advisory comes after the release of updated GitLab versions 18.10.3, 18.9.5, and 18.8.9. These updates include important fixes for both Community Edition (CE) and Enterprise Edition (EE). Officials have labeled the issue as critical and urged government departments, system administrators, and developers to take immediate action.
According to the advisory, several types of vulnerabilities have been found in GitLab platforms. These include issues in WebSocket connections and multiple weaknesses that could cause services to crash through certain features like Terraform state lock, GraphQL, and CSV import functions.
Users of the Enterprise Edition face additional risks. These include problems in Code Quality reports that could allow harmful code to be injected, as well as cross-site scripting issues in analytics dashboards. Such flaws could allow attackers to interfere with systems or alter how they function.
The advisory also highlights other concerns, including weak access controls in the Environments API, missing permission checks in custom roles, and flaws in AI-based vulnerability detection tools. There are also risks of sensitive information being exposed through GraphQL queries and CSV export features. Together, these issues increase the chances of unauthorized access and system compromise.
Officials warned that both logged-in users and outsiders could exploit these weaknesses, making the threat more widespread. Possible consequences include system takeovers, execution of malicious code, exposure of confidential data, and long periods of service disruption.
Organizations have been instructed to immediately update to the latest patched versions or newer releases. This applies to all types of setups, including self-managed systems, isolated environments, and backup or recovery systems.
The government has also advised organizations to carefully review official release notes and apply all recommended security measures to reduce risks and protect their systems.
