CVE-2024-0402: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in GitLab

9.9 CVSS

Description

An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace.

Classification

CVE ID: CVE-2024-0402

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.9

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Problem Types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected Products

Vendor: GitLab

Product: GitLab

Exploit Prediction Scoring System (EPSS)

EPSS Score: 31.72% (probability of being exploited)

EPSS Percentile: 96.54% (scored less or equal to compared to others)

EPSS Date: 2025-06-04 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: poc

SSVC Technical Impact: total

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-0402
https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/
https://gitlab.com/gitlab-org/gitlab/-/issues/437819

Timeline

2025-06-03 19:40:21 UTC
CVE

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in GitLab