CVE-2025-6601
BaseFortify
Publication date: 2025-10-27
Last updated on: 2025-10-28
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitlab | gitlab | From 18.4.0 (inc) to 18.4.3 (exc) |
| gitlab | gitlab | 18.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-840 | Business Logic Errors |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a business logic error in GitLab Enterprise Edition that affects versions from 18.4 before 18.4.3 and 18.5 before 18.5.1. It allows authenticated users to gain unauthorized access to projects by exploiting the access request approval workflow, meaning users could bypass intended access controls under certain conditions. [1]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing authenticated users with certain privileges to access projects they should not have access to, potentially leading to unauthorized viewing or modification of project data. Although the impact on confidentiality and integrity is low and there is no impact on availability, unauthorized project access can still pose security risks. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2025-6601, you should immediately upgrade your GitLab Enterprise Edition to version 18.4.3 or later if you are on the 18.4 series, or to version 18.5.1 or later if you are on the 18.5 series. These patch releases address the vulnerability by fixing the business logic error in the access request approval workflow. It is strongly recommended to apply these updates promptly to maintain security hygiene. [1]