Introduction
Malicious code injected into a GitLab label can silently compromise every developer who views a project, risking session theft and unauthorized repository access. CVE-2025-7739 is a high-severity stored cross-site scripting vulnerability that affects GitLab CE/EE versions 18.2 before 18.2.2, specifically targeting the scoped label description feature. This flaw allows authenticated users to persistently inject and execute arbitrary JavaScript in the context of other users, including privileged project maintainers and administrators.
GitLab is a widely adopted DevSecOps platform used by organizations of all sizes for source code management, CI/CD, and project collaboration. Its label system, especially scoped labels, is central to project organization and workflow automation, making vulnerabilities in this area particularly impactful for teams relying on GitLab for secure development.
Technical Information
CVE-2025-7739 is caused by improper sanitization of user-supplied HTML in the description field of scoped labels. When an authenticated user creates or edits a scoped label (using the double-colon syntax such as priority::high), they can insert malicious HTML or JavaScript into the description. This content is stored in GitLab's database and rendered without sufficient output encoding in the web interface.
When another user views a page displaying the compromised label, the browser executes the injected script in the context of the victim's session. This can result in session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim. The vulnerability is limited to authenticated users but can be exploited by any user with permission to create or edit scoped labels in a project or group.
The root cause is a failure to sanitize or escape HTML content in label descriptions at both input and output stages. No public code snippets are available for this issue. The vulnerability only affects the description field of scoped labels and does not impact other label fields or unrelated GitLab features.
Patch Information
GitLab has released patches addressing this and other vulnerabilities in the following versions:
- 18.2.2 (and later)
- 18.1.4 (and later)
- 18.0.6 (and later)
For CVE-2025-7739 specifically, upgrade to GitLab CE/EE 18.2.2 or newer. This release remediates the stored XSS in scoped label descriptions. See the official advisory for full details:
Affected Systems and Versions
- GitLab Community Edition (CE) and Enterprise Edition (EE)
- Versions 18.2 before 18.2.2
- Only the scoped label description feature is affected
- Any configuration where users can create or edit scoped labels is vulnerable
Vendor Security History
GitLab has a documented history of cross-site scripting issues in its label management features. Previous vulnerabilities include stored XSS in label colors and descriptions (see GitLab Issue 291004 and GitLab Issue 370873). The vendor maintains a public bug bounty program and typically releases coordinated security patches and advisories. Patch response times are generally fast, but the recurrence of similar issues suggests ongoing challenges with input validation and output encoding in user-generated content areas.