Overview
CVE-2025-6195 is a medium severity information disclosure vulnerability affecting GitLab Enterprise Edition (EE). Discovered and patched in late 2025, this vulnerability could allow an authenticated user to potentially view sensitive information contained within security reports, under specific and limited configuration conditions. This issue impacts GitLab EE versions from 13.7 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1.
Technical Details
The vulnerability stems from improper access control checks within the security report functionality of GitLab EE. While the exact details are kept intentionally vague by GitLab to prevent exploitation of unpatched instances, it’s understood that a combination of factors, potentially involving project visibility settings and user permissions, could lead to unauthorized access to security report data. The vulnerability requires an authenticated user, meaning an anonymous attacker cannot exploit this vulnerability without first gaining valid GitLab credentials.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-6195 a score of 4.3, indicating a MEDIUM severity. This score is derived from the following factors:
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): Low (L)
- Integrity (I): None (N)
- Availability (A): None (N)
This CVSS score highlights that the vulnerability can be exploited over the network, requires minimal complexity, and only needs a low level of privileges (an authenticated user). The impact is primarily on the confidentiality of data, with no impact on integrity or availability.
Possible Impact
Successful exploitation of CVE-2025-6195 could lead to unauthorized disclosure of sensitive information contained within GitLab security reports. This information might include:
- Vulnerability details identified in projects
- Code analysis results
- Secrets or API keys accidentally exposed in the codebase
- Project-specific security findings
The unauthorized disclosure of such information could compromise the security posture of affected projects, potentially leading to further attacks or breaches.
Mitigation and Patch Steps
GitLab has released patched versions to address CVE-2025-6195. It is strongly recommended to upgrade your GitLab EE instance to one of the following versions (or later):
- 18.4.5
- 18.5.3
- 18.6.1
Follow the official GitLab upgrade documentation for detailed instructions on how to safely and effectively upgrade your instance. Regularly updating your GitLab instance is crucial for maintaining a secure environment and protecting against known vulnerabilities.
