SecuriTricks - CVE-2025-2498

Description

An improper access control in Gitlab EE affecting all versions from 12.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 that under certain conditions could have allowed users to view assigned issues from restricted groups by bypassing IP restrictions.

Product(s) Impacted

Vendor	Product	Versions
Gitlab	Gitlab	*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-1220

Insufficient Granularity of Access Control

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	gitlab	gitlab	/	12.0	/	/	/	/	/	/
a	gitlab	gitlab	/	18.0.0-18.0.6	/	/	/	/	/	/
a	gitlab	gitlab	/	18.1.0-18.1.4	/	/	/	/	/	/
a	gitlab	gitlab	/	18.2.0-18.2.2	/	/	/	/	/	/

References

https://gitlab.com/gitlab-org/gitlab/-/issues/525515

https://hackerone.com/reports/3037722

CVSS Score

3.1 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: LOW
Integrity Impact: NONE
Availability Impact: NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

View Vector String

Timeline

Published: Aug. 13, 2025, 6:15 p.m.
Last Modified: Aug. 14, 2025, 1:12 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@gitlab.com

CVE-2025-2498