CVE-2025-0605: 
GitLab vulnerability analysis and mitigation

A security vulnerability (CVE-2025-0605) was discovered in GitLab CE/EE affecting all versions from 16.8 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. The vulnerability relates to group access controls that could potentially allow certain users to bypass two-factor authentication requirements. The issue was reported through GitLab's HackerOne bug bounty program by security researcher salh4ckr (GitLab Patch, CVE Details).

The vulnerability has been assigned a CVSS v3.1 base score of 4.6 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N. The weakness has been categorized under CWE-287 (Improper Authentication) by NIST and CWE-1390 (Weak Authentication) by GitLab Inc. The vulnerability specifically affects the group access control mechanism in GitLab's authentication system (NVD).

The vulnerability could allow authenticated users with certain permissions to bypass two-factor authentication requirements, potentially compromising the security of affected GitLab installations. This could lead to unauthorized access to protected resources and potential security breaches in affected systems (Wiz).

GitLab has released patches in versions 17.10.7, 17.11.3, and 18.0.1 to address this vulnerability. It is strongly recommended that all affected installations be upgraded to the latest version immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Patch).