CVE-2025-11989
BaseFortify
Publication date: 2025-10-27
Last updated on: 2025-10-28
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitlab | gitlab | From 17.6.0 (inc) to 18.3.5 (exc) |
| gitlab | gitlab | From 18.4.0 (inc) to 18.4.3 (exc) |
| gitlab | gitlab | 18.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in GitLab EE allows an authenticated attacker to execute unauthorized quick actions by including malicious commands in specific descriptions. It affects certain versions before they were patched.
How can this vulnerability impact me? :
An attacker who is authenticated could perform unauthorized quick actions, potentially leading to unintended changes or actions within the GitLab environment, which could disrupt workflows or compromise data integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update GitLab EE to a fixed version: 18.3.5 or later if you are on the 17.6.0 to before 18.3.5 range, 18.4.3 or later if you are on 18.4 before 18.4.3, or 18.5.1 or later if you are on 18.5 before 18.5.1. This will prevent authenticated attackers from executing unauthorized quick actions via malicious commands in descriptions.