CVE-2025-2867

Published: Mar 27, 2025Modified: Aug 13, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

An issue has been discovered in the GitLab Duo with Amazon Q affecting all versions from 17.8 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. A specifically crafted issue could manipulate AI-assisted development features to potentially expose sensitive project data to unauthorized users.

Affected (6)

Products: Gitlab: Gitlab

Gitlab

1 product

Gitlab

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	From 17.8.0 to 17.8.6
Gitlab Gitlab	From 17.9.0 to 17.9.3
Gitlab Gitlab	From 17.8.0 to 17.8.6
Gitlab Gitlab	From 17.9.0 to 17.9.3
Gitlab Gitlab	Version 17.10.0
Gitlab Gitlab	Version 17.10.0

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (1)

https://gitlab.com/gitlab-org/gitlab/-/issues/512509

Source: cve@gitlab.com

Broken Link

Timeline

No history available yet.