CVE-2025-9825

Summary

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 to 18.2.8, 18.3 before 18.3.4, and 18.4 before 18.4.2 that could have allowed authenticated users without project membership to view sensitive manual CI/CD variables by querying the GraphQL API.

Affected Software

VendorProductVersion RangeStatus
GitLabGitLab13.7 < 18.2.8affected
GitLabGitLab18.3 < 18.3.4affected
GitLabGitLab18.4 < 18.4.2affected

Weaknesses

  • CWE-862: CWE-862: Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References