DevOps platforms collectively patched 236 security vulnerabilities throughout 2025, and a staggering 140 of them were rated high or critical. GitProtect.io, a security firm specializing in backup and recovery for DevOps environments, released the figures on June 1, 2026, after analyzing public advisories and vendor disclosures from the year prior. The data spans five cornerstone platforms—GitHub, GitLab, Azure DevOps, Jira, and Bitbucket—and paints a sobering picture of the threat landscape that underpins modern software development.

More than half of the flaws discovered could allow attackers to execute code remotely, escalate privileges, or exfiltrate sensitive data. The sheer volume of high–critical bugs signals that the tools developers use daily to store, build, and ship code remain a prime target for sophisticated adversaries. For enterprises, the numbers are a call to action: patching alone is no longer sufficient; the way organizations integrate security into their DevOps pipelines must change.

The Platforms in Focus

The report covers the most widely adopted DevOps platforms, each with its own security posture and patch cadence.

  • GitHub remains the world’s largest code-hosting service, and its dominance makes it a frequent target. In 2025, GitHub continued to harden its Actions workflows, dependency graph, and Dependabot automations. Yet, the report shows that critical bugs in repository access controls, token handling, and Actions runner sandboxes still surfaced.
  • GitLab is the preferred self-managed option for many enterprises. Its vulnerability disclosures often center on authorization flaws in the API, CI/CD pipeline execution, and container registry access. GitLab’s rapid point-release cycle means patches land quickly, but the report suggests misconfigurations still expose many instances.
  • Azure DevOps, deeply integrated into the Microsoft ecosystem, saw a spike in vulnerabilities tied to pipeline permissions, OAuth app impersonation, and cross-tenant access. Behind the scenes, Microsoft’s own Security Response Center handled several high-severity bugs that could have allowed lateral movement into connected Azure services.
  • Jira, Atlassian’s issue-tracking heavyweight, contributed its share of flaws, mostly injection vulnerabilities and broken access controls that could leak project data across organizations.
  • Bitbucket, the other Atlassian code-hosting service, faced similar issues, along with secrets-detection bypasses that could expose credentials stored in repositories.

The aggregation of these bugs underlines a troubling reality: even mature platforms with dedicated security teams cannot eliminate risk. Continuous integration of third-party apps, marketplace extensions, and API integrations expands the attack surface beyond the core platform.

Breaking Down the Severity

Of the 236 vulnerabilities, 140 earned a CVSS score of 7.0 or above, placing them in the high or critical bucket. Critical bugs—those scoring 9.0 and up—typically enable remote code execution without any user interaction. In several cases, a single malformed API request could compromise an entire CI/CD pipeline.

GitProtect.io’s analysis highlights a recurring pattern: authentication and authorization flaws account for nearly 40% of the high-severity bugs. These include broken OAuth flows, missing permission checks on internal APIs, and cloud-identity misconfigurations. Injection vulnerabilities, especially argument injection in pipeline steps, made up another 25%. The remainder consisted of information disclosure, denial-of-service, and insecure deserialization bugs.

The report also notes that the average time to patch—the window between private disclosure and a public fix—has shortened to 22 days across the five platforms, down from 34 days in 2023. While the improvement is encouraging, it still leaves organizations exposed for three weeks if they don’t apply updates immediately.

Supply Chain Implications

Every DevOps platform is a supply-chain nexus. A single compromised account on GitHub or GitLab can seed malicious code into hundreds of downstream projects. Attackers increasingly exploit contributor trust and automated merge workflows to inject backdoors.

In 2025, the ProFTPD backdoor incident, which initially appeared in an open-source tarball hosted on GitHub, underscored how quickly a poisoned dependency can propagate. While that attack didn’t originate from a platform vulnerability, the platforms’ own security holes could be leveraged to conceal credential theft or manipulate build artifacts without triggering audit logs.

The report stresses that 18 of the high–critical bugs directly affected features that interact with artifact repositories, package registries, or deployment targets. For example, a vulnerability in Azure DevOps’ pipeline task extension mechanism could let an attacker intercept the build output and inject malware into container images before they land in ACR (Azure Container Registry). Such a scenario turns a single bug into a full-blown supply chain compromise.

Why DevOps Tools Are Prime Targets

DevOps platforms sit at the intersection of code, secrets, and infrastructure. They hold the keys to cloud environments, and their CI/CD runners often run with elevated privileges. This concentration of power makes them lucrative for cybercriminals and nation-state actors alike.

GitProtect.io’s report points to three drivers behind the sustained volume of vulnerabilities:

  1. Complexity of integrations. Modern pipelines chain together dozens of marketplace apps and third-party services, each expanding the trust boundary. A bug in a lesser-known Slack connector for Jenkins or a GitHub App can open a door into the entire source-control system.
  2. API-heavy architectures. REST and GraphQL endpoints are everywhere, and every endpoint needs consistent authorization. Even well-audited platforms occasionally miss an edge case, leading to IDOR (Insecure Direct Object Reference) or privilege escalation.
  3. The speed of feature release. DevOps platforms compete on innovation. Frequent updates bring new functionality but also new bugs. Security reviews can lag behind the deployment pace, especially when organizations don’t hold vendors to strict SLAs.

The report’s authors argue that while the industry has improved at discovering and fixing bugs, the fundamental problem is architectural: the permissions model in many DevOps tools is still too coarse-grained to isolate cross-project risks effectively.

Mitigation Strategies Beyond Patching

The sheer number of vulnerabilities makes a patch-and-pray approach untenable. The report outlines several proactive measures enterprises should adopt:

Enforce Least Privilege for CI/CD

Too many pipeline runners operate under broad-scope service accounts. Limit each runner’s permission to the exact repositories, registries, and cloud resources it needs. Regularly audit and rotate credentials, and never embed secrets in code—use native secret-management integrations.

Segment DevOps Environments

Use separate GitHub or GitLab organizations for production, staging, and development. Isolate high-value repositories behind additional authentication gates, and enforce branch-protection rules that require manual approval for critical branches.

Monitor and Harden Audit Logs

Enable audit logging on all platforms and stream the data to a SIEM. Set up alerts for anomalous activity: a new deploy key added at 3 a.m., a permissions change on a CI/CD pipeline, or a bulk clone of repositories. GitProtect.io recommends treating DevOps audit logs with the same rigor as cloud-infrastructure logs.

Implement an Immutable Backup Strategy

Because many DevOps attacks aim to corrupt or encrypt source code, having an air-gapped, immutable backup of repositories, wiki pages, and issues is critical. GitProtect.io’s own backup product is designed for this, but the principle stands regardless of the tool. Ransomware groups have begun explicitly targeting DevOps accounts, knowing that paying the ransom is often cheaper than losing years of code.

Shift Left on Security

Integrate static analysis, software composition analysis, and secret scanning into the developer workflow. All leading platforms offer native tools—GitHub Advanced Security, GitLab’s SAST suite, Azure DevOps’ WhiteSource Bolt—but they are frequently underutilized. Automated checks should block commits that introduce known vulnerabilities or expose credentials.

What This Means for Windows Users and Enterprises

For Windows-centric shops and Azure subscribers, the report carries a specific urgency. Azure DevOps is tightly woven into the Microsoft fabric. Many organizations use it to deploy code straight to Azure App Service, Azure Kubernetes Service, or Windows Server instances on-premises. A vulnerability in Azure DevOps can therefore cascade into Windows workloads.

Microsoft’s own security research found that the most damaging cloud intrusions in 2025 started with a compromised DevOps account. Once inside, an attacker can pivot from code repositories to Active Directory, utilizing Kerberos tickets stolen from build agents. The GitProtect.io data reinforces the need to treat DevOps credentials as tier-0 assets in the Windows security model—protected by multifactor authentication, privileged access workstations, and regular reviews.

End-user Windows enthusiasts who experiment with self-hosted GitLab or Jenkins servers on their home labs are not immune either. Unpatched local instances expose internal networks to automated exploits that scan for vulnerable DevOps endpoints. The report notes a rise in commodity malware that brute-forces Jira or GitLab instances looking for leaked API keys.

Looking Ahead

GitProtect.io expects the number of patched vulnerabilities to stay elevated through 2026. As more development moves to cloud-based CI/CD and platform vendors embrace generative AI assistants that access codebases, the attack surface will only widen. The report calls for industry-wide adoption of standard vulnerability disclosure frameworks and faster, more transparent communication between vendors and customers.

Ultimately, the 236 vulnerabilities patched in 2025 are not a sign of failure but a reminder that security in DevOps is a continuous process. Tools will have bugs. The organizations that fare best will be those that treat DevOps security as a shared responsibility—embracing automation, rigorous access controls, and immutable backups while holding vendors accountable for rapid, clear remediation.

The report’s core message is unambiguous: the software supply chain starts with the platforms that host the code, and until those platforms are hardened at every layer, every downstream application inherits the risk.