Information Disclosure Vulnerability in GitLab Enterprise Edition
CVE-2025-6945

3.5LOW

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 15 November 2025

What is CVE-2025-6945?

GitLab has addressed a security vulnerability affecting its Enterprise Edition, which exists in all versions from 17.8 prior to 18.3.6, 18.4 prior to 18.4.4, and 18.5 prior to 18.5.2. An authenticated attacker could exploit this flaw to leak confidential information from sensitive issues by injecting hidden prompts into merge request comments. The prompt injection could lead to unauthorized access to critical information that should remain confidential, compromising the security integrity of users' sensitive data.

Affected Version(s)

GitLab 17.8 < 18.3.6

GitLab 18.4 < 18.4.4

GitLab 18.5 < 18.5.2

References

https://about.gitlab.com/releases/2025/11/12/patch-releas...

https://gitlab.com/gitlab-org/gitlab/-/issues/552611

issue-trackingpermissions-required

https://hackerone.com/reports/3173458

technical-descriptionexploitpermissions-required

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 15, 2025
Vulnerability Reserved
Jul 1, 2025

Credit

Thanks [rogerace](https://hackerone.com/rogerace) for reporting this vulnerability through our HackerOne bug bounty program

JSON