CVE-2025-1198: 
GitLab vulnerability analysis and mitigation

An issue was discovered in GitLab CE/EE affecting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 where long-lived connections in ActionCable potentially allowed revoked Personal Access Tokens to maintain access to streaming results. The vulnerability, identified as CVE-2025-1198, was discovered internally by GitLab team member Dylan Griffith (GitLab Release).

The vulnerability is classified as a medium severity issue with a CVSS v3.1 score of 4.2 (AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N). The technical issue involves ActionCable's handling of token invalidation, where revoked Personal Access Tokens could potentially continue to access streaming results through long-lived connections (GitLab Release).

The vulnerability could allow unauthorized access to streaming results even after Personal Access Tokens have been revoked, potentially leading to information disclosure and continued access to resources that should have been restricted (Security Online).

GitLab has released patches in versions 17.8.2, 17.7.4, and 17.6.5 for both Community Edition (CE) and Enterprise Edition (EE). Users are strongly recommended to upgrade to these latest versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take any action (GitLab Release).