GitLab CE/EE Vulnerability Affecting User Access to CI/CD Variables
CVE-2025-9825

5MEDIUM

Key Information:

Vendor

Gitlab
Status
Gitlab
Vendor
CVE Published:
21 November 2025

What is CVE-2025-9825?

A security issue exists in GitLab CE/EE that impacts versions 13.7 through 18.4.2. This vulnerability allows authenticated users lacking project membership to access sensitive manual CI/CD variables through queries made to the GraphQL API. Sensitive information may be disclosed, putting projects at risk of unauthorized information retrieval. It is crucial for users to update to the latest version to protect against this vulnerability.

Affected Version(s)

GitLab 13.7 < 18.2.8

GitLab 18.3 < 18.3.4

GitLab 18.4 < 18.4.2

References

https://about.gitlab.com/releases/2025/10/08/patch-releas...
https://gitlab.com/gitlab-org/gitlab/-/issues/567301
issue-trackingpermissions-required
https://hackerone.com/reports/3319800
technical-descriptionexploitpermissions-required

CVSS V3.1

Score:
5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program
JSON
.
CVE-2025-9825 : GitLab CE/EE Vulnerability Affecting User Access to CI/CD Variables