Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-4979

An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. An attacker may be able to reveal masked or hidden CI variables (that they did not author) in the WebUI, by simply creating their own variable and observing the HTTP response.

Published

2025-05-22T14:16:08.617

Last Modified

2025-08-08T18:33:20.263

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 4.9 (MEDIUM)

Weaknesses

Type: Secondary
CWE-1220
Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	gitlab	gitlab	< 17.10.7	Yes
Application	gitlab	gitlab	< 17.10.7	Yes
Application	gitlab	gitlab	< 17.11.3	Yes
Application	gitlab	gitlab	< 17.11.3	Yes
Application	gitlab	gitlab	18.0.0	Yes
Application	gitlab	gitlab	18.0.0	Yes

References

https://gitlab.com/gitlab-org/gitlab/-/issues/524455 Broken Link ([email protected])