CVE-2025-2242
Published: 27 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-2242 is an improper access control vulnerability (CWE-863) affecting GitLab Community Edition (CE) and Enterprise Edition (EE) in all versions from 17.4 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1. The issue allows a user who previously held instance admin privileges but has been downgraded to a regular user to retain elevated access to groups and projects, bypassing the intended privilege reduction.
An attacker with prior instance admin access, now operating as a regular user (PR:L), can exploit this over the network (AV:N) with high attack complexity (AC:H) and no user interaction required (UI:N). Successful exploitation grants continued high-impact privileges (C:H/I:H/A:H) on affected groups and projects in an unscoped manner (S:U), potentially enabling unauthorized data access, modification, or deletion.
Mitigation requires upgrading to GitLab versions 17.8.6, 17.9.3, 17.10.1, or later, as indicated by the affected version ranges. Additional details are available in the GitLab issue tracker at https://gitlab.com/gitlab-org/gitlab/-/issues/516271.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an improper access control flaw allowing a downgraded admin user to retain elevated privileges on groups/projects, directly enabling exploitation for privilege escalation within the GitLab application.