CVE-2025-2498
Insufficient Granularity of Access Control in GitLab
4.3
MEDIUM
CVSS 3.1
EPSS 0.02%
Description
An improper access control in Gitlab EE affecting all versions from 12.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 that under certain conditions could have allowed users to view assigned issues from restricted groups by bypassing IP restrictions.
How to fix CVE-2025-2498
To remediate CVE-2025-2498, upgrade the affected package to a fixed version below.
- —upgrade to 18.0.6 or later
Is CVE-2025-2498 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 12.0.0, < 18.0.6, >= 18.1.0, < 18.1.4, >= 18.2.0, < 18.2.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |