CVE-2025-6945
BaseFortify
Publication date: 2025-11-15
Last updated on: 2025-11-20
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitlab | gitlab | From 17.9.0 (inc) to 18.3.6 (exc) |
| gitlab | gitlab | From 18.4.0 (inc) to 18.4.4 (exc) |
| gitlab | gitlab | From 18.5.0 (inc) to 18.5.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in GitLab EE allows an authenticated attacker to leak sensitive information from confidential issues by injecting hidden prompts into merge request comments. It affects certain versions before specific patches were released.
How can this vulnerability impact me? :
The vulnerability could lead to leakage of sensitive information from confidential issues, potentially exposing private data to unauthorized users who have authenticated access.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update GitLab EE to a fixed version: 18.3.6 or later if using 17.8 series, 18.4.4 or later if using 18.4 series, or 18.5.2 or later if using 18.5 series. This will prevent authenticated attackers from leaking sensitive information via hidden prompts in merge request comments.