WebUI Variable Disclosure in GitLab CE/EE by GitLab
CVE-2025-4979

7.5HIGH

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 22 May 2025

What is CVE-2025-4979?

A security flaw in GitLab CE/EE allows attackers to potentially expose CI variables that they did not create. By crafting their own variables, attackers may access masked or hidden information through the WebUI's HTTP responses. This issue impacts various versions of GitLab and underscores the need for timely updates to safeguard sensitive data.

Affected Version(s)

GitLab 0 < 17.10.7

GitLab 17.11 < 17.11.3

GitLab 18.0 < 18.0.1

References

https://gitlab.com/gitlab-org/gitlab/-/issues/524455

issue-trackingpermissions-required

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2025
Vulnerability Reserved
May 20, 2025

Credit

This vulnerability was discovered internally by a GitLab team member.

Gitlab

What is CVE-2025-4979?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit