CVE-2018-19585
Description
GitLab CE/EE versions 8.18 up to 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1 have CRLF Injection in Project Mirroring when using the Git protocol.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CRLF injection vulnerability in GitLab CE/EE project mirroring via the Git protocol allows attackers to inject arbitrary headers.
Vulnerability
GitLab CE/EE versions 8.18 up to 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1 contain a CRLF injection vulnerability in Project Mirroring when using the Git protocol [1]. This allows an attacker to inject carriage return and line feed characters into the mirroring process.
Exploitation
An attacker with the ability to configure project mirroring (e.g., a project owner or maintainer) can inject CRLF sequences into the mirror configuration or during the Git protocol exchange. The exact exploitation steps are not disclosed in the available references, but the vulnerability is triggered when the Git protocol processes specially crafted input.
Impact
Successful exploitation enables CRLF injection, which can lead to HTTP response splitting, header injection, or bypass of security controls. The attacker may gain the ability to inject arbitrary headers into responses or manipulate the mirroring process to achieve further compromise.
Mitigation
GitLab released fixed versions: 11.3.11, 11.4.8, and 11.5.1. Users should upgrade to these versions or later. No workaround is documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- GitLab/CE/EEdescription
- Range: >=8.18, <11.3.11; >=11.4.0, <11.4.8; >=11.5.0, <11.5.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- packetstormsecurity.com/files/160516/GitLab-11.4.7-Remote-Code-Execution.htmlmitrex_refsource_MISC
- packetstormsecurity.com/files/160699/GitLab-11.4.7-Remote-Code-Execution.htmlmitrex_refsource_MISC
- about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/mitrex_refsource_MISC
- about.gitlab.com/blog/categories/releases/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.