CVE-2025-11971: 
GitLab vulnerability analysis and mitigation

GitLab has identified a security vulnerability (CVE-2025-11971) affecting GitLab Enterprise Edition (EE) versions from 10.6 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1. This vulnerability is related to incorrect authorization in pipeline builds (GitLab Release, NVD).

The vulnerability has been classified with a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N. The issue is categorized under CWE-863 (Incorrect Authorization) and requires network access with high attack complexity, low privileges, and user interaction (NVD).

The vulnerability could allow an authenticated attacker to trigger unauthorized pipeline executions by manipulating commits. This poses a significant security risk as it could lead to unauthorized code execution within the GitLab pipeline infrastructure (GitLab Release).

GitLab has released patches in versions 18.3.5, 18.4.3, and 18.5.1 to address this vulnerability. Organizations are strongly recommended to upgrade to these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Release).

Ubuntu has acknowledged the vulnerability but noted that GitLab is no longer maintained as a distribution package due to maintainability issues. They have explicitly stated they will not be fixing security issues in the GitLab package (Ubuntu Security).