CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-1198: Insufficient Session Expiration in GitLab

4.2 CVSS

Description

An issue discovered in GitLab CE/EE affecting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 meant that long-lived connections in ActionCable potentially allowed revoked Personal Access Tokens access to streaming results.

Classification

CVE ID: CVE-2025-1198

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.2

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Affected Products

Vendor: GitLab

Product: GitLab

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.98% (scored less or equal to compared to others)

EPSS Date: 2025-03-14 (when was this score calculated)

References

https://gitlab.com/gitlab-org/gitlab/-/issues/511477

Timeline

2025-02-13 10:00:34 UTC
Tenable Plugins

GitLab 16.11 < 17.6.5 / 17.7 < 17.7.4 / 17.8 < 17.8.2 (CVE-2025-1198)
2025-02-14 00:32:31 UTC
CVE

Insufficient Session Expiration in GitLab