CVE-2025-9825 MEDIUM

CVE-2025-9825: Missing Authorization in GitLab

Vendor Gitlab

Product GitLab

Weakness CWE-862 · Missing authorization

Published November 21, 2025

Last update November 24, 2025

View on NVD All CVEs

CVSS base score

5.0/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 to 18.2.8, 18.3 before 18.3.4, and 18.4 before 18.4.2 that could have allowed authenticated users without project membership to view sensitive manual CI/CD variables by querying the GraphQL API.

Key dates

02Disclosure timeline

November 21, 2025 CVE published

November 24, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-9825 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2025-0952 Eco Nature - Environment & Ecology WordPress Theme <= 2.0.4 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update CVE-2025-11581 PowerJob OpenAPIController runJob authorization CVE-2023-45000 WordPress LiteSpeed Cache plugin <= 5.7 - Unauthenticated Broken Access Control on API vulnerability CVE-2025-62078 WordPress Easy Upload Files During Checkout plugin <= 3.0.0 - Broken Access Control vulnerability CVE-2025-12168 Phrase TMS Integration for WordPress <= 4.7.5 - Missing Authorization to Authenticated (Subscriber+) Log Deletion

Identifiers

CVE CVE-2025-9825

CWE CWE-862

CVSS 5.0 / MEDIUM

Affected versions

Vendor Gitlab

Product GitLab

Affected ≥ 13.7 and < 18.2.8

Vendor Gitlab

Product GitLab

Affected ≥ 18.3 and < 18.3.4

Vendor Gitlab

Product GitLab

Affected ≥ 18.4 and < 18.4.2