CVE-2025-1042

CVE-2025-1042 is an insecure direct object reference (IDOR) vulnerability, classified under CWE-552, affecting GitLab Enterprise Edition (EE). It impacts all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2. Published on 2025-02-12, the flaw enables unauthorized access to repositories through improper handling of object references. The vulnerability carries a CVSS v3.1 base score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N), indicating moderate severity primarily due to its high confidentiality impact.

Exploitation requires high privileges (PR:H), such as those held by authenticated users with elevated roles like maintainers or owners within a GitLab instance. An attacker can leverage the IDOR flaw over the network with low complexity and no user interaction to view repositories they are not authorized to access. This results in unauthorized data exposure but does not allow modification (no integrity impact) or disruption of service (no availability impact), with scope remaining unchanged.

Mitigation involves upgrading to patched versions: 17.6.5 or later for the 15.7 branch, 17.7.4 or later for the 17.7 branch, and 17.8.2 or later for the 17.8 branch. Additional details are available in the GitLab issue tracker at https://gitlab.com/gitlab-org/gitlab/-/issues/50849943 and the originating HackerOne disclosure at https://hackerone.com/reports/2886976.