—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in Gitlab 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

GitLab versions prior to 18.5.1, 18.4.3, 18.3.5 for Community Edition (CE) and Enterprise Edition (EE)

Overview

Multiple vulnerabilities have been reported in GitLab products which could allow a remote attacker to bypass security restrictions, cause denial of service (DoS) condition, or to compromise the targeted system.

Target Audience:

All end-user organizations and individuals using the GitLab products.

Risk Assessment:

High risk of unauthorized access to sensitive data, disruption of services, or compromise of system integrity.

Impact Assessment:

Potential Exposure for data theft, privilege escalation, or service unavailability.

Description

GitLab is a web-based DevOps platform that provides tools for software developments, including source code management, continuous integration and continuous deployment. It is available in both open-source Community Edition (CE) and Enterprise Edition (EE) versions.

Multiple vulnerabilities exist in GitLab Community Edition (CE) and Enterprise Edition (EE), due to improper access control issue in runner API, incorrect authorization issue in pipeline builds, missing authorization issue in quick actions, business logic error in group memberships and denial of service issue in upload, event collection and JSON validation. An attacker could exploit these vulnerabilities by sending specially crafted payloads.

Successful exploitation of these vulnerabilities could allow a remote attacker to bypass security restrictions or cause denial of service (DoS) condition on the targeted system.

Solution

Apply appropriate updates as mentioned in GitLab security release:

https://about.gitlab.com/releases/2025/10/22/patch-release-gitlab-18-5-1-released/

Vendor Information

Gitlab

https://about.gitlab.com/releases/2025/10/22/patch-release-gitlab-18-5-1-released/

References

Gitlab

https://about.gitlab.com/releases/2025/10/22/patch-release-gitlab-18-5-1-released/

CVE Name

CVE-2025-11702

CVE-2025-10497

CVE-2025-11447

CVE-2025-11974

CVE-2025-11971

CVE-2025-6601

CVE-2025-11989

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmkErsEACgkQ3jCgcSdc

ys9yuA/+KXLYOpqxR53ZKMDM1rnP6nnugZHxP7X5o8ma3Rusd2oskox7zfj2ewiA

ay7XdrHMUFsZ43rxMUOFUrCr60es36ZH9AUy2riqmjm+6nrrC8wiIvlEhBwUhZEC

SjWj1LmpjDu1EOF6lXm3CqiYW/wMHXPE9O2jIp5azNOr/uFJshadLrw1xuWSUXFg

lVult8m97QA1QEnJBpPNwl2nasmKTseHkbBRZz4/F0nH1mVvF9f/90xcZhYH+M4/

+ICoKAoU88T38ILNVWnG9jbLgm2J5J0BZ7AE0Lhi4AwWbfRg4YGFTWQUpjrcKdxl

2PTsSkzFqW10QwWdZcBIycmyXH5fUqZeZAeR8EgqTEJJ39LixuGpHVUDOYwPOiZw

/pe2C9lC8H2uurj8Hcr5t+uaVrSzu8gpnWVh+4dvQNOzO0wqgRpWfxMU/+aC9O/c

E5GG6QCvFzQe/PEw0iwsfSEIxxEOyt/Ygp0itAc2j9RhF3OlXxE/KTSiZfLZzGC+

fxoSykAA7SRj6PAZbVyUzH/c3AehOxCyp2FCC10jCwAeJ0bwJFEGTEeRtm/xHPc7

x1rkyIqUs9rESXdGaFWDlZese0uEJOw0DESCbnd8m385Ns9Je0xA6BevtxGLJdCL

qU/pfr5tzoX9+2K8QszZQid85lBjcdEdyrna+wgPX5bZ8dETEhc=

=Lpy5

—–END PGP SIGNATURE—–