Sensitive Information Leak in GitLab CE/EE Affecting Multiple Versions
CVE-2025-12734

3.5LOW

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 11 December 2025

What is CVE-2025-12734?

GitLab has addressed a vulnerability in its CE/EE products that enables authenticated users to extract sensitive information via specifically crafted merge request titles. This flaw affects all versions released before 18.4.6, 18.5.4, and 18.6.2. Attackers with access to these merge requests could exploit this risk to expose confidential data unintentionally. It is crucial for users to update their installations promptly to ensure the security of their projects.

Affected Version(s)

GitLab 15.6 < 18.4.6

GitLab 18.5 < 18.5.4

GitLab 18.6 < 18.6.2

References

https://gitlab.com/gitlab-org/gitlab/-/issues/579573

issue-trackingpermissions-required

https://hackerone.com/reports/3379381

technical-descriptionexploitpermissions-required

https://about.gitlab.com/releases/2025/12/10/patch-releas...

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 11, 2025
Vulnerability Reserved
Nov 4, 2025

Credit

Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program

JSON