IP Access Control Bypass in GitLab CE/EE
CVE-2025-2408

5.3MEDIUM

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 10 April 2025

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A vulnerability has been identified in GitLab CE/EE that allows users to potentially bypass IP access restrictions, enabling unauthorized access to sensitive information. This issue affects versions ranging from 13.12 to various iterations of 17.x. Under specific conditions, the enforcement of IP restrictions may fail, posing a risk to data confidentiality and integrity. Users should review affected versions and apply necessary updates to mitigate this issue.

Affected Version(s)

GitLab 13.12 < 17.8.7

GitLab 17.9 < 17.9.6

GitLab 17.10 < 17.10.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-2408 - Proof of Concept

References

https://gitlab.com/gitlab-org/gitlab/-/issues/525323

issue-trackingpermissions-required

https://hackerone.com/reports/3027775

technical-descriptionexploitpermissions-required

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Apr 10, 2025
👾
Exploit known to exist
Apr 10, 2025
Vulnerability published
Apr 10, 2025
Vulnerability Reserved
Mar 17, 2025

Credit

Thanks [rogerace](https://hackerone.com/rogerace) for reporting this vulnerability through our HackerOne bug bounty program