Introduction
Account takeover through a single malicious work item: that is the real-world risk posed by CVE-2025-6186 in GitLab. This vulnerability enables authenticated users to inject HTML into work item names, which can compromise any user who views the item, including administrators. For organizations relying on GitLab for source code and DevOps workflows, this flaw has direct implications for project integrity and user security.
Technical Information
CVE-2025-6186 is a stored cross-site scripting (XSS) vulnerability (CWE-79) affecting GitLab Community Edition and Enterprise Edition. The vulnerability exists in the work item name field. Authenticated users can inject arbitrary HTML into this field when creating or editing a work item. The malicious payload is stored in the database and rendered unescaped in the web interface when other users view the affected work item.
The attack requires the attacker to have a valid GitLab account. Once the payload is in place, any user with access to the compromised work item will have the injected HTML executed in their browser context. This can allow theft of session cookies, execution of arbitrary JavaScript, or actions performed on behalf of the victim, including privilege escalation and account takeover if an administrator is targeted.
The root cause is insufficient input validation and output encoding on the work item name field. GitLab has previously faced similar XSS vulnerabilities in other user-controllable fields, such as status checks, user names, and integration points. This pattern highlights the challenge of comprehensive input sanitization in complex web applications.
Patch Information
The vulnerability has been fixed in the following GitLab versions:
- 18.2.2
- 18.1.4
- 18.0.6
Users should upgrade to one of these versions or later to fully remediate CVE-2025-6186. The patch release also addresses other XSS and permission issues. See the official advisory for full details:
Affected Systems and Versions
- GitLab Community Edition (CE) and Enterprise Edition (EE)
- All versions from 18.1 before 18.1.4
- All versions from 18.2 before 18.2.2
Other branches (such as 18.0.x) are not affected by this specific vulnerability, but should still be kept up to date for other security fixes.
Vendor Security History
GitLab has a recurring history of XSS vulnerabilities in various components, including:
- Status checks widgets (see https://gitlab.com/gitlab-org/gitlab/-/issues/367408)
- Jira integration (see https://gitlab.com/gitlab-org/gitlab/-/issues/359142)
- User name and profile fields (see https://gitlab.com/gitlab-org/gitlab/-/issues/25751)
The vendor maintains a public bug bounty program and typically responds quickly to reported issues, with coordinated patch releases and detailed advisories. However, the frequency of input sanitization flaws indicates ongoing challenges in their secure development lifecycle.