DevOps platform vulnerabilities rise in 2025 report

GitProtect.io has released a report on vulnerabilities across major DevOps platforms in 2025. The study found that 236 vulnerabilities were patched during the year.

Of those, 59% were rated high or critical severity: 14 were classified as critical, 126 as high, 75 as medium and 21 as low. The report examined issues affecting GitHub, GitLab, Azure DevOps and Atlassian products including Jira and Bitbucket.

The data showed a clear rise in both the number and severity of flaws as the year progressed. Patched vulnerabilities increased 30% in the second half to 139 from 97 in the first half, while the number of critical flaws rose from four to 10 over the same period.

Quarterly figures showed a steady increase through the year: 45 in the first quarter, 52 in the second, 60 in the third and 79 in the fourth. That made the final quarter the busiest period, accounting for 34% of the annual total.

November was the most active month, with 36 patched vulnerabilities, or 15% of the annual total. The report linked the increase to growing pressure on development and security teams as software supply chains become more complex.

Platform breakdown

GitLab recorded the most patched vulnerabilities at 129. Even so, that was a 16% year-on-year decline from 153 in 2024. Only two of the 2025 issues were classified as critical: CVE-2025-25291 and CVE-2025-25292, both linked to the ruby-saml library and authentication logic.

Atlassian products accounted for 87 vulnerabilities, including 48 in Bitbucket and 39 in Jira. All were classified as high or critical severity, and Bitbucket's total was up 58% year on year from 2024.

Two Atlassian-related vulnerabilities received a CVSS score of 10.0, the maximum on the scale. They were CVE-2024-38999, described as remote code execution in Bitbucket through a third-party dependency, and CVE-2025-66516, an XML external entity injection issue in Jira affecting confidentiality, integrity and availability.

GitHub patched 18 vulnerabilities during the year, including five affecting GitHub Enterprise Server and 13 affecting GitHub Cloud. Four of the cloud flaws were classified as critical, including CVE-2025-178, which the report described as a composite GitHub Action vulnerability with a CVSS score of 10.0 that allowed arbitrary code execution.

Microsoft Azure DevOps had two critical vulnerabilities patched in 2025. One was CVE-2025-47158, which the report said allowed unauthenticated attackers to bypass authentication and manipulate assumed-immutable data, resulting in network-based privilege escalation.

Rising pressure

The report presented the trend as a challenge for organisations that rely on hosted and on-premise development tools to manage code, workflows and software delivery. It pointed to the scale of these ecosystems, citing more than 180 million developers and 630 million repositories on GitHub, 50 million users on GitLab and 15 million developers using Bitbucket to manage about 30 million repositories.

These platforms sit at the centre of software development operations, so security flaws affect not only platform operators but also customers managing source code and internal workflows. High and critical vulnerabilities can expose organisations to unauthorised access, privilege escalation and system compromise if left unresolved.

The findings also showed that severity increased alongside volume. High-severity flaws climbed 55%, from 39 in the first half to 87 in the second, while the final quarter posted a 76% increase in total patched vulnerabilities compared with the first quarter.

GitProtect.io argued that users of DevOps platforms still bear responsibility for protecting their own data even when vendors patch infrastructure flaws. It said organisations should maintain independent backups of repositories and metadata to preserve access to critical information during platform incidents or maintenance.

GitProtect.io is part of Xopero Software and provides backup and recovery products for data held in systems including Jira, Bitbucket, GitHub, GitLab and Azure DevOps. Its products are used by more than 2,000 organisations in more than 60 countries.

The report said the tools used to build and manage software are under constant scrutiny, requiring development and security teams to prioritise rapid patching and vigilant management.