CVE-2025-3950
BaseFortify
Publication date: 2026-01-09
Last updated on: 2026-01-09
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitlab | gitlab_ce | From 10.3 (inc) to 18.5.5 (exc) |
| gitlab | gitlab_ce | From 18.6 (inc) to 18.6.3 (exc) |
| gitlab | gitlab_ce | From 18.7 (inc) to 18.7.1 (exc) |
| gitlab | gitlab_ee | From 10.3 (inc) to 18.5.5 (exc) |
| gitlab | gitlab_ee | From 18.6 (inc) to 18.6.3 (exc) |
| gitlab | gitlab_ee | From 18.7 (inc) to 18.7.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-359 | The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in GitLab CE/EE allows a user to leak certain information by referencing specially crafted images that bypass asset proxy protection. It affects all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1.
How can this vulnerability impact me? :
The vulnerability can lead to information leakage by bypassing asset proxy protections, potentially exposing sensitive data to unauthorized users. The CVSS score indicates a low severity impact on confidentiality with no impact on integrity or availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should immediately upgrade GitLab CE/EE to the patched versions 18.5.5, 18.6.3, or 18.7.1 or later. These releases address the vulnerability and include other security and bug fixes. Upgrading to these versions will prevent the information leak caused by specially crafted images bypassing asset proxy protection. [1]