GitLab Web Interface Vulnerability Allowing Content Mismatch
CVE-2025-12506
3.5LOW
What is CVE-2025-12506?
A flaw in GitLab CE/EE could potentially allow an authenticated user to create a repository where the content viewed in the web interface does not match the content available for download. This discrepancy arises from inadequate handling of Git reference name resolution, which can lead to confusion and exploitation. The issue affects users in specific versions, highlighting the importance of regularly updating software to safeguard against such vulnerabilities.
Affected Version(s)
GitLab 16.5 < 18.11.7
GitLab 19.0 < 19.0.4
GitLab 19.1 < 19.1.2
References
CVSS V3.1
Score:
3.5
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Thanks [shells3c](https://hackerone.com/shells3c) for reporting this vulnerability through our HackerOne bug bounty program