User Invitation Bypass in GitLab EE Affects Multiple Versions
CVE-2025-4972

2.7LOW

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 10 July 2025

What is CVE-2025-4972?

A vulnerability has been found in GitLab EE that allows authenticated users with invitation privileges to bypass established group-level restrictions. This flaw arises from an improper handling of the group invitation feature, permitting abuse through manipulation of the invitation process. Affected versions are those prior to 18.0.4 for 18.0 series and before 18.1.2 for 18.1 series, making it critical for administrators to ensure they are on updated versions to mitigate potential risks.

Affected Version(s)

GitLab 18.0 < 18.0.4

GitLab 18.1 < 18.1.2

References

https://gitlab.com/gitlab-org/gitlab/-/issues/543816

issue-trackingpermissions-required

https://hackerone.com/reports/3148693

technical-descriptionexploitpermissions-required

CVSS V3.1

Score:

2.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 10, 2025
Vulnerability Reserved
May 19, 2025

Credit

Thanks [mateuszek](https://hackerone.com/mateuszek) for reporting this vulnerability through our HackerOne bug bounty program

Gitlab

What is CVE-2025-4972?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit