CVE-2025-6945

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-6945
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-6945.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-6945
Aliases
Downstream
Published
2025-11-15T08:04:29.739Z
Modified
2025-11-22T13:40:03.900323Z
Severity
  • 3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Improper Neutralization of Special Elements used in a Command ('Command Injection') in GitLab
Details

GitLab has remediated an issue in GitLab EE affecting all versions from 17.8 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to leak sensitive information from confidential issues by injecting hidden prompts into merge request comments.

Database specific 
{
    "cwe_ids": [
        "CWE-77"
    ]
}
References

Affected packages

Git / gitlab.com/gitlab-org/gitlab

Affected ranges

Type
GIT
Repo
https://gitlab.com/gitlab-org/gitlab
Events
Introduced
f03594b9e09b648c839e9c008286a24c93c82373
Fixed
424c6d1f82a9a32df34d8059f2dadc30d356ff65
Database specific 
{
    "versions": [
        {
            "introduced": "17.8"
        },
        {
            "fixed": "18.3.6"
        }
    ]
}
Type
GIT
Repo
https://gitlab.com/gitlab-org/gitlab
Events
Introduced
9255f56b45844196bb7657a9f1fde6aa65a5d08d
Fixed
e2798305dc3604e272e12a319a932e96c3540374
Database specific 
{
    "versions": [
        {
            "introduced": "18.4"
        },
        {
            "fixed": "18.4.4"
        }
    ]
}
Type
GIT
Repo
https://gitlab.com/gitlab-org/gitlab
Events
Introduced
37cc4da7158316bb9b204cef9b056f16fff1df32
Fixed
cb961538ba8e451246e168e7bbd5b1e04f69102a
Database specific 
{
    "versions": [
        {
            "introduced": "18.5"
        },
        {
            "fixed": "18.5.2"
        }
    ]
}

Affected versions

v18.*

v18.4.0-ee
v18.4.1-ee
v18.4.2-ee
v18.4.3-ee
v18.5.0-ee
v18.5.1-ee