CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-4979: Insufficient Granularity of Access Control in GitLab

4.9 CVSS

Description

An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. An attacker may be able to reveal masked or hidden CI variables (that they did not author) in the WebUI, by simply creating their own variable and observing the HTTP response.

Classification

CVE ID: CVE-2025-4979

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.9

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Problem Types

CWE-1220: Insufficient Granularity of Access Control

Affected Products

Vendor: GitLab

Product: GitLab

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.01% (probability of being exploited)

EPSS Percentile: 1.12% (scored less or equal to compared to others)

EPSS Date: 2025-06-19 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-4979
https://gitlab.com/gitlab-org/gitlab/-/issues/524455

Timeline

2025-05-22 14:40:18 UTC
CVE

Insufficient Granularity of Access Control in GitLab