CVE-2025-2498

LOW

Gitlab EE <18.0.6-18.2.2 - Auth Bypass

Title source: llm

Description

An improper access control in Gitlab EE affecting all versions from 12.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 that under certain conditions could have allowed users to view assigned issues from restricted groups by bypassing IP restrictions.

References (2)

[Broken Link] https://gitlab.com/gitlab-org/gitlab/-/issues/525515

[Permissions Required] https://hackerone.com/reports/3037722

Scores

CVSS v3 3.1

EPSS 0.0002

EPSS Percentile 4.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1220

Status published

Products (1)

gitlab/gitlab 12.0.0 - 18.0.6

Published Aug 13, 2025

Tracked Since Feb 18, 2026