CVE-2025-11984
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-11984, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-11

Last updated on: 2025-12-11

Assigner: GitLab Inc.

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain conditions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-11
Last Modified
2025-12-11
Generated
2026-07-06
AI Q&A
2025-12-11
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
gitlab gitlab_ce 18.4.6
gitlab gitlab_ce 18.5
gitlab gitlab_ce 18.6
gitlab gitlab_ce 13.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in GitLab CE/EE versions before certain fixed releases allows an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain conditions.

Impact Analysis

An attacker who is an authenticated user could bypass the WebAuthn two-factor authentication, potentially gaining unauthorized access to accounts or sensitive information, leading to a high impact on confidentiality and integrity.

Mitigation Strategies

To mitigate this vulnerability, immediately update GitLab CE/EE to a fixed version: 18.4.6 or later for 18.4.x, 18.5.4 or later for 18.5.x, and 18.6.2 or later for 18.6.x. Ensure that all users re-authenticate and monitor for any suspicious session activity related to WebAuthn two-factor authentication bypass attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11984. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart