CVE-2020-10953
Description
In GitLab EE 11.7 through 12.9, the NPM feature is vulnerable to a path traversal issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A path traversal vulnerability in GitLab EE's NPM feature allows unauthorized file access, fixed in 12.9.1.
Vulnerability
A path traversal vulnerability exists in the NPM feature of GitLab EE versions 11.7 through 12.9. The bug allows an attacker to read arbitrary files on the server by manipulating file paths in NPM package requests. The affected versions are explicitly 11.7 to 12.9 [2].
Exploitation
An attacker with network access to the GitLab instance can exploit this by sending a crafted NPM request containing directory traversal sequences (e.g., ../). No authentication is required if the NPM feature is publicly accessible. The vulnerability is triggered during file retrieval operations [2].
Impact
Successful exploitation results in unauthorized read access to arbitrary files on the GitLab server, including sensitive configuration files, secrets, or other data. This leads to information disclosure at the privilege level of the GitLab process [2].
Mitigation
The vulnerability is fixed in GitLab EE version 12.9.1, released on March 26, 2020. Users should upgrade to 12.9.1 or later. No workaround is available [2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- GitLab/GitLab EEdescription
- Range: >=11.7, <=12.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/mitrex_refsource_CONFIRM
- about.gitlab.com/releases/categories/releases/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.