Unrated severityNVD Advisory· Published Jun 20, 2025· Updated Jun 23, 2025
Cross-Site Request Forgery (CSRF) in GitLab
CVE-2024-4994
Description
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1.0 before 16.11.5, all versions starting from 17.0 before 17.0.3, all versions starting from 17.1.0 before 17.1.1 which allowed for a CSRF attack on GitLab's GraphQL API leading to the execution of arbitrary GraphQL mutations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*range: 16.1
- (no CPE)range: >=16.1.0 <16.11.5, >=17.0.0 <17.0.3, >=17.1.0 <17.1.1
Patches
Vulnerability mechanics
References
2- hackerone.com/reports/2473644mitretechnical-descriptionexploitpermissions-required
- gitlab.com/gitlab-org/gitlab/-/issues/462012mitreissue-trackingpermissions-required
News mentions
1- GitLab Critical Patch Release: 17.1.1, 17.0.3, 16.11.5GitLab Security Releases · Jun 26, 2024