CVE-2025-11984
BaseFortify
Publication date: 2025-12-11
Last updated on: 2025-12-11
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitlab | gitlab_ce | 18.4.6 |
| gitlab | gitlab_ce | 18.5 |
| gitlab | gitlab_ce | 18.6 |
| gitlab | gitlab_ce | 13.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in GitLab CE/EE versions before certain fixed releases allows an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain conditions.
How can this vulnerability impact me? :
An attacker who is an authenticated user could bypass the WebAuthn two-factor authentication, potentially gaining unauthorized access to accounts or sensitive information, leading to a high impact on confidentiality and integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update GitLab CE/EE to a fixed version: 18.4.6 or later for 18.4.x, 18.5.4 or later for 18.5.x, and 18.6.2 or later for 18.6.x. Ensure that all users re-authenticate and monitor for any suspicious session activity related to WebAuthn two-factor authentication bypass attempts.