CVE-2025-1212

Medium

Published: 12 February 2025

Published

12 February 2025

Modified

06 August 2025

KEV Added

—

Patch

—

CVSS Score 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0005 15.9th percentile

Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Description

An information disclosure vulnerability in GitLab CE/EE affecting all versions from 8.3 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to send a crafted request to a backend server to reveal sensitive information.

Security Summary

CVE-2025-1212 is an information disclosure vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE), affecting all versions from 8.3 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2. The issue enables an attacker to send a crafted request to a backend server, resulting in the exposure of sensitive information. It is associated with CWE-497 and carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

The vulnerability can be exploited by a low-privileged authenticated user over the network with low attack complexity and no requirement for user interaction. Successful exploitation achieves a low-impact disclosure of confidential information without impacting integrity or availability.

Mitigation is available by upgrading to GitLab 17.6.5, 17.7.4, 17.8.2, or later versions. Further details on the issue and resolution are provided in the GitLab security advisory at https://gitlab.com/gitlab-org/gitlab/-/issues/502196.

Details

CWE(s): CWE-497NVD-CWE-noinfo

Affected Products

gitlab

8.3.0 — 17.6.5 · 8.3.0 — 17.6.5 · 17.7.0 — 17.7.4

References

https://gitlab.com/gitlab-org/gitlab/-/issues/502196
Broken Link · cve@gitlab.com