CVE-2025-4979 - NVD | ByteOS Network

NVD Vulnerability Details :

CVE-2025-4979

Analyzed

More Info Official Page

Source-cve@gitlab.com

Published At-22 May, 2025 | 14:16

Updated At-08 Aug, 2025 | 18:33

An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. An attacker may be able to reveal masked or hidden CI variables (that they did not author) in the WebUI, by simply creating their own variable and observing the HTTP response.

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	4.9	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Primary	3.1	7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Type: Secondary

Version: 3.1

Base score: 4.9

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Type: Primary

Version: 3.1

Base score: 7.5

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CPE Matches

>>gitlab>>Versions before 17.10.7(exclusive)

cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*

>>gitlab>>Versions before 17.10.7(exclusive)

cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

>>gitlab>>Versions from 17.11.0(inclusive) to 17.11.3(exclusive)

cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*

>>gitlab>>Versions from 17.11.0(inclusive) to 17.11.3(exclusive)

cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

>>gitlab>>18.0.0

cpe:2.3:a:gitlab:gitlab:18.0.0:*:*:*:community:*:*:*

>>gitlab>>18.0.0

cpe:2.3:a:gitlab:gitlab:18.0.0:*:*:*:enterprise:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-1220	Primary	cve@gitlab.com
NVD-CWE-noinfo	Primary	nvd@nist.gov

CWE ID: CWE-1220

Type: Primary

Source: cve@gitlab.com

CWE ID: NVD-CWE-noinfo

Type: Primary

Source: nvd@nist.gov

References

Hyperlink	Source	Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/524455	cve@gitlab.com	Broken Link

Hyperlink: https://gitlab.com/gitlab-org/gitlab/-/issues/524455

Source: cve@gitlab.com

Resource:

Broken Link