Improper Access Control Vulnerability in GitLab CE/EE
CVE-2025-2242

7.5HIGH

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 27 March 2025

Summary

An improper access control vulnerability in GitLab Community Edition and Enterprise Edition allows users who previously held instance admin rights but were later downgraded to regular users to retain elevated privileges over groups and projects. This flaw can lead to unauthorized access and manipulation of critical organizational resources, making timely mitigation essential.

Affected Version(s)

GitLab 17.4 < 17.8.6

GitLab 17.9 < 17.9.3

GitLab 17.10 < 17.10.1

References

https://gitlab.com/gitlab-org/gitlab/-/issues/516271

issue-trackingpermissions-required

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 27, 2025
Vulnerability Reserved
Mar 12, 2025

Credit

This vulnerability was reported by a GitLab customer