Unrated severityNVD Advisory· Published May 22, 2025· Updated May 22, 2025
Insufficient Granularity of Access Control in GitLab
CVE-2025-4979
Description
An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. An attacker may be able to reveal masked or hidden CI variables (that they did not author) in the WebUI, by simply creating their own variable and observing the HTTP response.
Affected products
3cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*range: 0
- (no CPE)range: before 17.10.7, 17.11 before 17.11.3, 18.0 before 18.0.1
Patches
Vulnerability mechanics
References
1- gitlab.com/gitlab-org/gitlab/-/issues/524455mitreissue-trackingpermissions-required
News mentions
1- GitLab Patch Release: 18.0.1, 17.11.3, 17.10.7GitLab Security Releases · May 21, 2025