CVE-2025-4979 MEDIUM

CVE-2025-4979: Insufficient Granularity of Access Control in GitLab

Vendor Gitlab
Product GitLab
Weakness CWE-1220
Published May 22, 2025
Last update May 22, 2025

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. An attacker may be able to reveal masked or hidden CI variables (that they did not author) in the WebUI, by simply creating their own variable and observing the HTTP response.

Key dates

02Disclosure timeline

May 22, 2025 CVE published
May 22, 2025 Record updated