CVE-2025-5101

Published: Aug 27, 2025Modified: Sep 2, 2025

5.0

Vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N

Exploitability: 0.6 / Impact: 4.0

Source: cve@gitlab.com (Secondary)

Description

An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that under certain conditions could have allowed an authenticated attacker to distribute malicious code that appears harmless in the web interface by taking advantage of ambiguity between branches and tags during repository imports.

Affected (6)

Products: Gitlab: Gitlab

Gitlab

1 product

Gitlab

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Gitlab Gitlab	Before 18.1.5
Gitlab Gitlab	From 18.2.0 to 18.2.5
Gitlab Gitlab	Before 18.1.5
Gitlab Gitlab	From 18.2.0 to 18.2.5
Gitlab Gitlab	Version 18.3.0
Gitlab Gitlab	Version 18.3.0

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

https://gitlab.com/gitlab-org/gitlab/-/issues/545165

Source: cve@gitlab.com

Broken Link

https://hackerone.com/reports/3124199

Source: cve@gitlab.com

Permissions Required

Timeline

No history available yet.