CVE-2025-13978
BaseFortify
Publication date: 2025-12-11
Last updated on: 2025-12-11
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitlab | gitlab_ce | 18.5.4 |
| gitlab | gitlab_ce | 18.6.2 |
| gitlab | gitlab_ee | 18.4.6 |
| gitlab | gitlab_ee | 18.5.4 |
| gitlab | gitlab_ce | 18.4.6 |
| gitlab | gitlab_ee | 18.6.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-209 | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in GitLab CE/EE allows an authenticated user to discover the names of private projects they do not have access to by making API requests. It affects versions from 17.5 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2.
How can this vulnerability impact me? :
The vulnerability could lead to unauthorized disclosure of private project names to authenticated users who should not have access, potentially exposing sensitive project information or revealing the existence of confidential projects.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update GitLab CE/EE to a fixed version: 18.4.6 or later for 18.4.x, 18.5.4 or later for 18.5.x, and 18.6.2 or later for 18.6.x. This will prevent authenticated users from discovering private project names they do not have access to via API requests.