CVE-2025-2615

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-2615
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-2615.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-2615
Aliases
Downstream
Related
Published
2025-11-15T08:04:44.743Z
Modified
2025-11-21T09:30:42.292461Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Insertion of Sensitive Information Into Sent Data in GitLab
Details

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2, that could have allowed a blocked user to access sensitive information by establishing GraphQL subscriptions through WebSocket connections.

Database specific 
{
    "cwe_ids": [
        "CWE-201"
    ]
}
References

Affected packages

Git / gitlab.com/gitlab-org/gitlab

Affected ranges

Type
GIT
Repo
https://gitlab.com/gitlab-org/gitlab
Events
Introduced
9e7d34f7ff11405ece06ec398b66965d153cee6f
Fixed
424c6d1f82a9a32df34d8059f2dadc30d356ff65
Database specific 
{
    "versions": [
        {
            "introduced": "16.7"
        },
        {
            "fixed": "18.3.6"
        }
    ]
}
Type
GIT
Repo
https://gitlab.com/gitlab-org/gitlab
Events
Introduced
9255f56b45844196bb7657a9f1fde6aa65a5d08d
Fixed
e2798305dc3604e272e12a319a932e96c3540374
Database specific 
{
    "versions": [
        {
            "introduced": "18.4"
        },
        {
            "fixed": "18.4.4"
        }
    ]
}
Type
GIT
Repo
https://gitlab.com/gitlab-org/gitlab
Events
Introduced
37cc4da7158316bb9b204cef9b056f16fff1df32
Fixed
cb961538ba8e451246e168e7bbd5b1e04f69102a
Database specific 
{
    "versions": [
        {
            "introduced": "18.5"
        },
        {
            "fixed": "18.5.2"
        }
    ]
}

Affected versions

v18.*

v18.4.0-ee
v18.4.1-ee
v18.4.2-ee
v18.4.3-ee
v18.5.0-ee
v18.5.1-ee