Unrated severityNVD Advisory· Published Nov 15, 2025· Updated Nov 17, 2025
Improper Neutralization of Special Elements used in a Command ('Command Injection') in GitLab
CVE-2025-6945
Description
GitLab has remediated an issue in GitLab EE affecting all versions from 17.8 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to leak sensitive information from confidential issues by injecting hidden prompts into merge request comments.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*range: 17.8
- (no CPE)range: >=17.8 <18.3.6, >=18.4 <18.4.4, >=18.5 <18.5.2
Patches
Vulnerability mechanics
References
3- hackerone.com/reports/3173458mitretechnical-descriptionexploitpermissions-required
- gitlab.com/gitlab-org/gitlab/-/issues/552611mitreissue-trackingpermissions-required
- about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/mitre
News mentions
1- GitLab Patch Release: 18.5.2, 18.4.4, 18.3.6GitLab Security Releases · Nov 12, 2025