CVE-2025-12506
Received Received - Intake

GitLab Repository Content Display Discrepancy via Improper Git Reference Resolution

Vulnerability report for CVE-2025-12506, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitLab Inc.

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.5 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user to create a repository where the content displayed in the web interface differed from the content available for download, due to improper handling of Git reference name resolution.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
gitlab gitlab_ce From 16.5 (inc) to 18.11.7 (exc)
gitlab gitlab_ee From 16.5 (inc) to 18.11.7 (exc)
gitlab gitlab_ce From 19.0 (inc) to 19.0.4 (exc)
gitlab gitlab_ee From 19.0 (inc) to 19.0.4 (exc)
gitlab gitlab_ce From 19.1 (inc) to 19.1.2 (exc)
gitlab gitlab_ee From 19.1 (inc) to 19.1.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in GitLab CE/EE versions from 16.5 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 allows an authenticated user, under certain conditions, to create a repository where the content shown in the web interface is different from the content that can be downloaded. This happens due to improper handling of Git reference name resolution.

Mitigation Strategies

To mitigate this vulnerability, update GitLab CE/EE to a fixed version. Specifically, upgrade to version 18.11.7 or later if using the 16.5 to before 18.11.7 range, version 19.0.4 or later if using 19.0 to before 19.0.4, or version 19.1.2 or later if using 19.1 to before 19.1.2.

Impact Analysis

The impact of this vulnerability is that an authenticated user could create a repository with misleading content displayed on the web interface compared to what is actually available for download. This could lead to confusion, misinformation, or potential trust issues regarding the integrity of the repository content.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12506. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart