Information Disclosure Vulnerability in GitLab by GitLab
CVE-2025-13978

4.3MEDIUM

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 11 December 2025

What is CVE-2025-13978?

An information disclosure vulnerability in GitLab CE/EE allows authenticated users to access the names of private projects they do not have permissions to view via API requests. This issue impacts all versions from 17.5 prior to 18.4.6, 18.5 prior to 18.5.4, and 18.6 prior to 18.6.2, posing a risk of unintended exposure of sensitive project data.

Affected Version(s)

GitLab 17.5 < 18.4.6

GitLab 18.5 < 18.5.4

GitLab 18.6 < 18.6.2

References

https://gitlab.com/gitlab-org/gitlab/-/work_items/566960

https://gitlab.com/gitlab-org/gitlab/-/issues/566960

issue-trackingpermissions-required

https://about.gitlab.com/releases/2025/12/10/patch-releas...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 11, 2025
Vulnerability Reserved
Dec 3, 2025

Credit

This vulnerability has been discovered internally by GitLab team member Rohit Shambhuni

JSON