CVE-2025-1110: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab CE/EE affecting all versions from 18.0 before 18.0.1, identified as CVE-2025-1110. The vulnerability was reported through GitLab's HackerOne bug bounty program by researcher pwnie and was patched in GitLab version 18.0.1 released in May 2025 (GitLab Release, NVD).

The vulnerability allows a user with limited permissions to access Job Data via a crafted GraphQL query under certain circumstances. The issue has been assigned a CVSS v3.1 base score of 2.7 (LOW) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with low attack complexity but requiring high privileges (NVD, Wiz).

The vulnerability allows unauthorized access to Job Data, potentially exposing sensitive information to users who should not have access to it. The impact is limited to confidentiality breaches with no effect on system integrity or availability (GitLab Release, Wiz).

The vulnerability has been fixed in GitLab version 18.0.1. Organizations running affected versions of GitLab CE/EE are strongly recommended to upgrade to version 18.0.1 or later immediately. GitLab.com has already been updated with the patched version (GitLab Release).

The vulnerability was discovered and reported through GitLab's bug bounty program by security researcher pwnie, demonstrating the effectiveness of GitLab's security response program (GitLab Release).