CVE-2025-12653
BaseFortify
Publication date: 2025-11-26
Last updated on: 2025-12-10
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitlab | gitlab | From 18.3.0 (inc) to 18.4.5 (exc) |
| gitlab | gitlab | From 18.3.0 (inc) to 18.4.5 (exc) |
| gitlab | gitlab | From 18.5.0 (inc) to 18.5.3 (exc) |
| gitlab | gitlab | From 18.5.0 (inc) to 18.5.3 (exc) |
| gitlab | gitlab | 18.6.0 |
| gitlab | gitlab | 18.6.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in GitLab CE/EE versions before certain fixed releases allowed an unauthenticated user to join arbitrary organizations by manipulating request headers under specific conditions.
How can this vulnerability impact me? :
An attacker could exploit this vulnerability to join organizations without authorization, potentially gaining access to resources or information intended only for legitimate members, which could lead to information disclosure or unauthorized actions.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade GitLab CE/EE to a fixed version: 18.4.5 or later if you are on 18.3 series, 18.5.3 or later if on 18.5 series, or 18.6.1 or later if on 18.6 series. This will prevent unauthenticated users from joining arbitrary organizations by manipulating request headers.