CVE-2025-0549: 
GitLab vulnerability analysis and mitigation

A security vulnerability (CVE-2025-0549) was discovered in GitLab CE/EE affecting all versions starting from 17.3 prior to 17.9.8, from 17.10 prior to 17.10.6, and from 17.11 prior to 17.11.2. The vulnerability allows attackers to bypass Device OAuth flow protections, enabling authorization form submission through minimal user interaction. This vulnerability was reported through GitLab's HackerOne bug bounty program by researcher sim4n6 and was publicly disclosed on May 7, 2025 (GitLab Release, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N. The weakness has been categorized as CWE-288 (Authentication Bypass Using an Alternate Path or Channel). The technical nature of the vulnerability involves the Device OAuth flow protection mechanism, which under certain conditions could be circumvented to allow unauthorized form submissions (NVD, Wiz).

The vulnerability could potentially lead to unauthorized access through the Device OAuth flow, compromising the confidentiality and integrity of affected systems. The CVSS scoring indicates high potential impact on both confidentiality and integrity, though availability is not affected (GitLab Release, Wiz).

GitLab has released patches in versions 17.11.2, 17.10.6, and 17.9.8 to address this vulnerability. Users are strongly recommended to upgrade to these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Release).