User Activity Tracking Vulnerability in GitLab Products by GitLab
CVE-2025-1908

7.7HIGH

Key Information:

Vendor

Gitlab
Status
Gitlab
Vendor
CVE Published:
24 April 2025

Badges

👾 Exploit Exists🟡 Public PoC📰 News Worthy

What is CVE-2025-1908?

A security issue has been identified in GitLab EE/CE that allows unauthorized tracking of user browsing activities. This tracking can lead to a complete account take-over by malicious actors. The vulnerability affects all versions from 16.6 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1, raising significant concerns regarding user data security and privacy.

Affected Version(s)

GitLab 16.6 < 17.9.7

GitLab 17.10 < 17.10.5

GitLab 17.11 < 17.11.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-1908 - Proof of Concept

News Articles

favicon imageVulert

CVE-2025-1908: GitLab Vulnerability Allows User Activity Tracking Leading to Account Takeover

Learn about CVE-2025-1908, a critical vulnerability in GitLab that allows user activity tracking and potential account takeovers. Find out how to fix it and protect your application.

References

https://gitlab.com/gitlab-org/gitlab/-/issues/523065
issue-trackingpermissions-required
https://hackerone.com/reports/3016623
technical-descriptionexploitpermissions-required

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • 📰

    First article discovered by Vulert

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program
.