CVE-2025-6171

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-6171
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-6171.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-6171
Aliases
Downstream
Published
2025-11-15T08:04:24.736Z
Modified
2025-11-22T13:46:58.655458Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Missing Authorization in GitLab
Details

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker with reporter access to view branch names and pipeline details by accessing the packages API endpoint even when repository access was disabled.

Database specific 
{
    "cwe_ids": [
        "CWE-862"
    ]
}
References

Affected packages

Git / gitlab.com/gitlab-org/gitlab

Affected ranges

Type
GIT
Repo
https://gitlab.com/gitlab-org/gitlab
Events
Introduced
ce28f708ec5ca68092e16f55e47710367d32f2a1
Fixed
424c6d1f82a9a32df34d8059f2dadc30d356ff65
Database specific 
{
    "versions": [
        {
            "introduced": "13.2"
        },
        {
            "fixed": "18.3.6"
        }
    ]
}
Type
GIT
Repo
https://gitlab.com/gitlab-org/gitlab
Events
Introduced
9255f56b45844196bb7657a9f1fde6aa65a5d08d
Fixed
e2798305dc3604e272e12a319a932e96c3540374
Database specific 
{
    "versions": [
        {
            "introduced": "18.4"
        },
        {
            "fixed": "18.4.4"
        }
    ]
}
Type
GIT
Repo
https://gitlab.com/gitlab-org/gitlab
Events
Introduced
37cc4da7158316bb9b204cef9b056f16fff1df32
Fixed
cb961538ba8e451246e168e7bbd5b1e04f69102a
Database specific 
{
    "versions": [
        {
            "introduced": "18.5"
        },
        {
            "fixed": "18.5.2"
        }
    ]
}

Affected versions

v18.*

v18.4.0-ee
v18.4.1-ee
v18.4.2-ee
v18.4.3-ee
v18.5.0-ee
v18.5.1-ee