Azure DevOps Logged Two Critical Flaws in a 236-Bug Year

Azure DevOps closed out 2025 with only two critical vulnerabilities patched, the lowest critical count among the major code platforms in GitProtect.io’s annual DevOps threats report. The study logged 236 fixed flaws in total across GitHub, GitLab, Atlassian’s tools and Microsoft’s platform, and 59% of them carried high or critical ratings.

The two-bug figure flatters Microsoft’s platform. One of those defects let an unauthenticated attacker walk straight past the login screen, and the report’s wider warning lands on every team that runs hosted code: fixing the platform does nothing for the repositories and project data sitting on top of it.

The 2025 Tally: 236 Flaws, 59% High or Critical

GitProtect.io, the backup vendor that compiled the study, counted every patched flaw across GitHub, GitLab, Azure DevOps and Atlassian’s Jira and Bitbucket through the year. Of the 236 Common Vulnerabilities and Exposures (CVE, the public catalogue of disclosed security bugs), 14 were rated critical, 126 high, 75 medium and 21 low. That puts well over half the year’s fixes in the two highest severity bands.

The load was spread unevenly. GitLab carried the heaviest count by a wide margin, while Microsoft’s platform sat at the bottom of the table. The breakdown shows how differently each vendor’s year played out.

Two Atlassian bugs hit the maximum Common Vulnerability Scoring System (CVSS) value of 10.0: CVE-2024-38999, a remote code execution flaw in Bitbucket traced to a third-party dependency, and CVE-2025-66516, an XML external entity (XXE) injection bug in Jira that touched confidentiality, integrity and availability at once. GitLab’s only two criticals, CVE-2025-25291 and CVE-2025-25292, both tied back to the ruby-saml library and broken authentication logic. The full numbers sit in the 2025 DevOps threats report.

Azure DevOps Logged Two Critical Bugs, One an Authentication Bypass

Microsoft’s platform looks clean next to GitLab’s 129 fixes, but raw volume hides the part that matters. The report detailed one of the two Azure DevOps criticals, and it was the kind of flaw that does not need a foothold to start with.

How CVE-2025-47158 Bypassed the Login

CVE-2025-47158 was an elevation-of-privilege flaw classed under CWE-302, authentication bypass by assumed-immutable data. In plain terms, the platform trusted identity tokens it assumed could not be tampered with. An attacker who forged one of those tokens could send it to a vulnerable endpoint, have it accepted as legitimate, and climb to elevated access over the network without any valid credentials.

That combination, unauthenticated plus network-reachable plus privilege escalation, is why the report flagged it as a serious case rather than a routine fix. Reaching elevated access on a code platform can mean reaching pipelines, source code and deployment environments in one move. Microsoft published the fix in its mid-2025 security cycle, and the details sit in the Azure DevOps Server elevation-of-privilege advisory.

Why It Hit Server, Not the Cloud Service

Independent analyses of the bug point at Azure DevOps Server, the self-hosted on-premise edition, for versions running token-handling logic from before the June 2025 patches. Teams on the fully managed cloud service receive vendor-applied fixes, but anyone running their own Server instance has to install the update themselves. That distinction decides who is still exposed today.

The Curve Bent Upward as the Year Closed

The headline count is one thing; the shape of the year is another. Patched flaws climbed quarter by quarter, and the fourth quarter turned into the busiest stretch of all, carrying 34% of the annual total on its own.

1. First quarter: 45 patched flaws
2. Second quarter: 52
3. Third quarter: 60
4. Fourth quarter: 79

November alone accounted for 36 fixes, roughly 15% of the year. Severity tracked the volume upward rather than diluting it: critical flaws rose from four in the first half to 10 in the second, and high-severity bugs more than doubled, from 39 to 87. The fourth quarter ran 76% ahead of the first. GitProtect tied the climb to mounting pressure on engineering and security teams as software supply chains grow more tangled.

Why Patching the Platform Doesn’t Patch Your Repos

This is where the report turns from a scorecard into an argument. These platforms are not niche tools. GitHub alone hosts more than 180 million developers and 630 million repositories; GitLab counts 50 million users; Bitbucket carries 15 million developers managing some 30 million repositories. A flaw in any of them ripples out to every customer storing code and workflows on the service.

Vendors patch their own infrastructure. What they do not do is restore your data when an incident, an outage or a botched maintenance window takes a repository offline. GitProtect’s case is that the responsibility for keeping code and metadata reachable stays with the team using the platform, even after every infrastructure bug is fixed.

Back it up. Use automated backups for code, pipelines, issues, and boards.

That line comes from GitProtect.io’s own guidance in its earlier DevOps threats write-up, and the company has an obvious stake in saying it: GitProtect, part of Xopero Software, sells backup and recovery products for exactly these systems and counts more than 2,000 organisations across 60-plus countries as customers. The self-interest does not make the point wrong. A patched authentication bypass protects the next attacker from getting in; it does nothing to recover work already lost.

What Azure DevOps Teams Can Do Now

For Microsoft shops, the practical takeaways are narrow and concrete. The cloud service handles its own patching, so the urgent work falls on self-hosted Server deployments and on the data-protection gap the report keeps circling back to.

• Apply the mid-2025 Server patches that close CVE-2025-47158, and confirm no instance is still running pre-June token logic.
• Separate cloud and on-premise exposure, since only Server installs need manual remediation.
• Keep independent backups of repositories, pipelines, work items and boards, stored outside the platform itself.
• Mirror critical repositories across providers so a single platform incident does not stall delivery.
• Watch authentication and access logs for the token-manipulation patterns that auth-bypass flaws rely on.

The report’s bottom line is blunt. Vendors did their part with 236 fixes through the year, and Azure DevOps drew fewer critical bugs than any rival in the study. Keeping the code reachable after the next incident is still the customer’s job.

Frequently Asked Questions

How many vulnerabilities did Azure DevOps have in 2025?

Two, both rated critical. That was the smallest critical count of any major platform in GitProtect.io’s 2025 report, well below GitLab’s 129 total fixes, Atlassian’s 87 and GitHub’s 18.

What is CVE-2025-47158?

It is an elevation-of-privilege flaw in Azure DevOps classed as an authentication bypass by assumed-immutable data. An attacker could forge an identity token, have the platform accept it without valid credentials, and escalate privileges over the network, potentially reaching pipelines, source code and deployment environments.

Does the flaw affect the Azure DevOps cloud service?

The detailed analyses point at Azure DevOps Server, the self-hosted edition, on versions predating the June 2025 patches. Teams on the managed cloud service get vendor-applied fixes, while on-premise administrators must install Microsoft’s security update themselves.

Which platform had the most patched flaws?

GitLab, with 129 patched vulnerabilities. Even so, that was a 16% drop from the 153 it patched in 2024, and only two of its 2025 flaws were rated critical.

Why does the report push independent backups?

Because patching infrastructure does not restore lost data. GitProtect argues that responsibility for protecting repositories and metadata stays with the customer, so it recommends automated, off-platform backups and cross-provider mirroring to survive outages and incidents.