Overview
CVE-2025-11990 is a low severity Cross-Site Request Forgery (CSRF) vulnerability affecting GitLab Enterprise Edition (EE). This vulnerability resides in versions 18.4 before 18.4.4 and 18.5 before 18.5.2. It allows an authenticated user to potentially acquire CSRF tokens by exploiting improper input validation in repository references combined with weaknesses in redirect handling.
Technical Details
The vulnerability stems from insufficient validation of user-supplied input related to repository references within GitLab EE. Specifically, the system doesn’t properly sanitize or validate the input when processing requests related to repository interactions. This, coupled with a weakness in how GitLab handles redirects, allows an attacker to craft a malicious request that tricks a legitimate, authenticated user into unknowingly performing actions that expose their CSRF token. An attacker could potentially use a specially crafted URL or web page to trigger this behavior. The improperly validated repository references, combined with the vulnerable redirect handling, lead to the CSRF token being exposed through redirection parameters.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-11990 is 3.1, indicating a LOW severity. This is based on the following factors:
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): High (H)
- Privileges Required (PR): Low (L)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality Impact (C): Low (L)
- Integrity Impact (I): None (N)
- Availability Impact (A): None (N)
The low severity is attributed to the high attack complexity and the requirement for user interaction. An attacker needs to craft a very specific request, and the user needs to be tricked into interacting with it for the exploit to succeed. While the confidentiality impact is low, successful exploitation can lead to unauthorized access to limited information.
Possible Impact
Although the severity is low, successful exploitation of CVE-2025-11990 could have the following impact:
- CSRF Token Exposure: An attacker could obtain a legitimate user’s CSRF token.
- Limited Unauthorized Actions: With a CSRF token, an attacker might be able to perform limited actions on behalf of the victim, such as modifying certain settings or performing actions within the scope of the compromised user’s permissions. The impact is limited because it is a CSRF attack and relies on pre-existing authorized access.
Mitigation or Patch Steps
The recommended mitigation is to upgrade your GitLab EE instance to one of the following versions or later:
- 18.4.4 (or later for the 18.4 series)
- 18.5.2 (or later for the 18.5 series)
Regularly updating GitLab is crucial for maintaining a secure environment and addressing potential vulnerabilities.
References
- GitLab Patch Release Announcement: https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/
- GitLab Issue Tracker: https://gitlab.com/gitlab-org/gitlab/-/issues/577850
- HackerOne Report: https://hackerone.com/reports/3257843
