CVE-2025-12506
Received
Received - Intake
GitLab Repository Content Display Discrepancy via Improper Git Reference Resolution
Vulnerability report for CVE-2025-12506, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-08
Last updated on: 2026-07-08
Assigner: GitLab Inc.
Description
Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.5 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user to create a repository where the content displayed in the web interface differed from the content available for download, due to improper handling of Git reference name resolution.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitlab | gitlab_ce | From 16.5 (inc) to 18.11.7 (exc) |
| gitlab | gitlab_ee | From 16.5 (inc) to 18.11.7 (exc) |
| gitlab | gitlab_ce | From 19.0 (inc) to 19.0.4 (exc) |
| gitlab | gitlab_ee | From 19.0 (inc) to 19.0.4 (exc) |
| gitlab | gitlab_ce | From 19.1 (inc) to 19.1.2 (exc) |
| gitlab | gitlab_ee | From 19.1 (inc) to 19.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-706 | The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. |