CVE-2025-2408: Insufficient Granularity of Access Control in GitLab

5.3 CVSS

Description

An issue has been discovered in GitLab CE/EE affecting all versions from 13.12 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions users could bypass IP access restrictions and view sensitive information.

Classification

CVE ID: CVE-2025-2408

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem Types

CWE-1220: Insufficient Granularity of Access Control

Affected Products

Vendor: GitLab

Product: GitLab

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 2.6% (scored less or equal to compared to others)

EPSS Date: 2025-04-20 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: true

References

https://nvd.nist.gov/vuln/detail/CVE-2025-2408
https://gitlab.com/gitlab-org/gitlab/-/issues/525323
https://hackerone.com/reports/3027775

Timeline

2025-04-10 13:40:16 UTC
CVE

Insufficient Granularity of Access Control in GitLab