DevOps Vulnerabilities Hit 236, With 59% Rated High or Critical Severity

By GitProtect
May 28, 2026
2 minutes
GitProtect
DevOps Vulnerabilities Hit 236, With 59% Rated High or Critical Severity

Securing the software supply chain has become a growing operational challenge for modern development teams. In 2025, major DevOps platforms patched a total of 236 vulnerabilities. 59% of these were classified as high or critical severity, meaning they could be exploited to cause serious damage, including unauthorized access to sensitive data, privilege escalation, or partial system compromise.

Vulnerability volume and severity both accelerated sharply in H2, with Q4 emerging as the most active and riskiest quarter. The overall severity breakdown for the year included 14 critical, 126 high, 75 medium, and 21 low-severity vulnerabilities.

GitProtect.io's "DevOps Threats Unwrapped Report" examines the scale, frequency, and impact of these vulnerabilities, highlighting the growing challenge of securing increasingly complex DevOps ecosystems.

A Clear Upward Trend: The Second Half of 2025 Sees Spikes

The vulnerability landscape did not just grow in volume; it accelerated as the year progressed. The number of patched vulnerabilities increased by 30% in the second half of the year, rising from 97 in H1 to 139 in H2.

Quarterly data confirms a consistent upward trend:

  • Q1 ended with 45 vulnerabilities.

  • Q2 saw a 16% increase to 52 vulnerabilities.

  • Q3 saw 60 vulnerabilities, a 15% jump.

  • The most notable spike occurred in Q4, which reached 79 vulnerabilities – a 32% increase quarter-over-quarter.

Q4 was the most active quarter of the year, accounting for 34% of all patched vulnerabilities in 2025 and representing a 76% increase over Q1.

The number of patched critical vulnerabilities rose from just 4 in the first half of the year to 10 in the second half. High-severity flaws showed the same upward trend, increasing by 55% from H1 (39) to H2 (87). November 2025 alone saw the highest single-month total, with 36 patched vulnerabilities making up 15% of the annual total.

Taken together, these figures point to a rapidly intensifying threat landscape, where not only the number of vulnerabilities is growing, but also their severity, forcing organizations to respond faster and more proactively than ever before.

Platform Breakdown: Navigating Risks in a Massive Ecosystem

DevOps platforms function as the core operational engine for a vast number of enterprises. With over 180 million developers and 630 million repositories on GitHub, 50 million users on GitLab, and 15 million developers on Bitbucket managing roughly 30 million repositories, the stability and security of these tools directly impact millions of users and their proprietary code.

The report examines how these industry leaders maintained stability and trust by identifying and mitigating complex threats throughout the year.

GitHub The platform patched 18 vulnerabilities in 2025. Five affected GitHub Enterprise Server, while 13 affected GitHub Cloud. Four of the Cloud flaws were critical, including CVE-2025-178 – a composite GitHub Action vulnerability carrying a maximum CVSS score of 10.0 that allowed arbitrary code execution.

Microsoft Azure DevOps Microsoft patched two critical vulnerabilities within Azure DevOps. Notably, CVE-2025-47158 allowed unauthenticated attackers to bypass authentication and manipulate assumed-immutable data, leading to network-based privilege escalation.

GitLab While GitLab patched the highest volume with 129 vulnerabilities, this actually represented a 16% year-over-year decrease from the 153 patched in 2024. Only two of these were critical (CVE-2025-25291 and CVE-2025-25292). Both were tied to the ruby-saml library and authentication logic.

Atlassian (Jira & Bitbucket) Atlassian patched 48 vulnerabilities in Bitbucket and 39 in Jira. Every single one of these 87 vulnerabilities was classified as critical or high severity. Bitbucket saw a 58% year-over-year increase in patched vulnerabilities compared to 2024. Two Atlassian vulnerabilities received the highest possible CVSS score of 10.0: CVE-2024-38999 (remote code execution in Bitbucket via a third-party dependency) and CVE-2025-66516 (XML external entity injection in Jira, impacting confidentiality, integrity, and availability).

Strengthening DevOps Resilience

The data from 2025 makes it clear: the tools used to build and manage the world's software are subject to constant evaluation, requiring development and security teams to prioritize rapid patching and vigilant management.

While platforms work diligently to patch vulnerabilities and secure their infrastructure, users are responsible for the protection and availability of their own data. To ensure maximum security and accessibility, organizations should maintain independent backups of their repositories and metadata. This proactive approach ensures that, regardless of platform-level security events or maintenance, critical intellectual property remains secure, accessible, and resilient.

To download the full report, visit GitProtect.io.

About GitProtect.io

GitProtect.io by Xopero Software is an automated and manageable backup and recovery solution for all Jira, Bitbucket, GitHub, GitLab, Azure DevOps, and more DevOps stack data. It ensures data accessibility and seamless workflow for Jira Admins, DevOps, and Security Teams. Trusted by Security Teams, it helps to meet the Cloud Shared Responsibility Model, comply with security standards, and empower them with audit-ready governance, advanced reporting, and best-in-class security controls. The company's solutions are used in over 60 countries by more than 2,000 organizations, including Fortune 500 companies.

Copyright © 2026 OpsMatters™. All rights reserved.