← back
CVE-2025-2498

Insufficient Granularity of Access Control in GitLab

CVSS 3.1 LOWEPSS 0.2%CWE-1220
Vexday Risk Score
8Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 3.1EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
13 Aug 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
An improper access control in Gitlab EE affecting all versions from 12.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 that under certain conditions could have allowed users to view assigned issues from restricted groups by bypassing IP restrictions.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Affected products
GitLab · GitLab

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://gitlab.com/gitlab-org/gitlab/-/issues/525515https://hackerone.com/reports/3037722