CVE-2025-0549 MEDIUM

CVE-2025-0549: Authentication Bypass Using an Alternate Path or Channel in GitLab

Vendor Gitlab
Product GitLab
Weakness CWE-288
Published May 9, 2025
Last update May 9, 2025

CVSS base score

6.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.3 prior to 17.9.8, from 17.10 prior to 17.10.6, and from 17.11 prior to 17.11.2. A security vulnerability allows attackers to bypass Device OAuth flow protections, enabling authorization form submission through minimal user interaction.

Key dates

02Disclosure timeline

May 9, 2025 CVE published
May 9, 2025 Record updated