CVE-2025-11702
BaseFortify
Publication date: 2025-10-29
Last updated on: 2025-11-03
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitlab | gitlab | From 17.1.0 (inc) to 18.3.5 (exc) |
| gitlab | gitlab | From 18.4.0 (inc) to 18.4.3 (exc) |
| gitlab | gitlab | 18.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in GitLab EE versions before certain fixed releases allowed an authenticated attacker with specific permissions to hijack project runners from other projects. Essentially, it means that someone with limited access could take control of runners assigned to different projects, potentially interfering with or manipulating those projects' CI/CD processes.
How can this vulnerability impact me? :
The impact of this vulnerability includes unauthorized control over project runners, which could lead to disruption or manipulation of continuous integration and deployment workflows. This could result in compromised build processes, exposure of sensitive data, or execution of malicious code within the affected projects.
What immediate steps should I take to mitigate this vulnerability?
Upgrade GitLab EE to a fixed version: 18.3.5 or later if using 18.3, 18.4.3 or later if using 18.4, or 18.5.1 or later if using 18.5. Ensure that only trusted authenticated users have permissions to manage project runners to reduce risk.