AI Manipulation Vulnerability in GitLab Duo with Amazon Q
CVE-2025-2867

4.4MEDIUM

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 27 March 2025

Summary

An issue in GitLab Duo with Amazon Q allows for potential exposure of sensitive project data to unauthorized users. This vulnerability affects all versions from 17.8 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1. By exploiting specifically crafted issues, attackers could manipulate AI-assisted development features, compromising the security of critical project information.

Affected Version(s)

GitLab 17.8 < 17.8.6

GitLab 17.9 < 17.9.3

GitLab 17.10 < 17.10.1

References

https://gitlab.com/gitlab-org/gitlab/-/issues/512509

issue-trackingpermissions-required

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 27, 2025
Vulnerability Reserved
Mar 27, 2025

Credit

This vulnerability has been discovered internally by GitLab team member Félix Veillette-Potvin