OAuth Vulnerability in Gitpod Affecting Bitbucket Integration
CVE-2025-55750

6.5MEDIUM

Key Information:

Vendor: Gitpod-io
Status: Gitpod
Vendor: CVE Published:; 29 August 2025

What is CVE-2025-55750?

A vulnerability in Gitpod's OAuth integration with Bitbucket allowed an authenticated user to unintentionally expose a valid Bitbucket access token through a maliciously crafted link. This issue arose from the way Bitbucket returned tokens combined with Gitpod's redirect handling. The problem was isolated to Bitbucket, and both GitHub and GitLab integrations were unaffected. User interaction was required for exploitation. Gitpod has addressed the issue by implementing improvements in redirect handling and hardening OAuth logic, with the fix available in main-gha.33628 and later versions. There are no known workarounds to mitigate this vulnerability.

Affected Version(s)

gitpod Gitpod Classic < main-gha.33628 < Gitpod Classic main-gha.33628

gitpod Gitpod Classic Enterprise < main-gha.33628 < Gitpod Classic Enterprise main-gha.33628

References

https://github.com/gitpod-io/gitpod/security/advisories/G...

x_refsource_CONFIRM

https://github.com/gitpod-io/gitpod/pull/20983

x_refsource_MISC

https://github.com/gitpod-io/gitpod/commit/a736c1b83bd781...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 29, 2025
Vulnerability Reserved
Aug 14, 2025

Gitpod-io

What is CVE-2025-55750?

Affected Version(s)

References

CVSS V3.1

Timeline