CVE-2025-4979
Insufficient Granularity of Access Control in GitLab
7.5
HIGH
CVSS 3.1
EPSS 0.07%
Description
An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. An attacker may be able to reveal masked or hidden CI variables (that they did not author) in the WebUI, by simply creating their own variable and observing the HTTP response.
How to fix CVE-2025-4979
To remediate CVE-2025-4979, upgrade the affected package to a fixed version below.
- —upgrade to 17.11.3 or later
Is CVE-2025-4979 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 17.11.3, >= 18.0.0, < 18.0.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |