CVE-2025-0652: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab EE/CE affecting all versions starting from 16.9 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2 that could allow unauthorized users to access confidential information intended for internal use only. The vulnerability was disclosed on March 12, 2025, and has been assigned CVE-2025-0652 (GitLab Release, NVD).

The vulnerability has been assessed with a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The issue is classified under CWE-863 (Incorrect Authorization) and affects the internal notes functionality in merge requests (NVD, GitLab Release).

The vulnerability allows unauthorized users to access confidential information that was intended for internal use only when internal notes are included in merge requests (Security Online, GitLab Release).

GitLab has released patches in versions 17.7.7, 17.8.5, and 17.9.2 to address this vulnerability. Users are strongly recommended to upgrade to these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers will be notified once their instance has been patched (GitLab Release).

The vulnerability was reported through GitLab's HackerOne bug bounty program by researcher foxribeye, demonstrating the effectiveness of GitLab's security response program (GitLab Release).