CVE-2025-5101
Improper Control of Generation of Code ('Code Injection') in GitLab
5.0
MEDIUM
CVSS 3.1
EPSS 0.02%
Description
An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that under certain conditions could have allowed an authenticated attacker to distribute malicious code that appears harmless in the web interface by taking advantage of ambiguity between branches and tags during repository imports.
How to fix CVE-2025-5101
To remediate CVE-2025-5101, upgrade the affected package to a fixed version below.
- —upgrade to 18.1.5 or later
Is CVE-2025-5101 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 18.1.5, >= 18.2.0, < 18.2.5, >= 18.3.0, < 18.3.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.0 | CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N |