CVE-2025-11989: 
GitLab vulnerability analysis and mitigation

GitLab has identified a security vulnerability (CVE-2025-11989) affecting GitLab Enterprise Edition (EE) versions from 17.6.0 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1. The vulnerability allows authenticated attackers to execute unauthorized quick actions by including malicious commands in specific descriptions (NVD, GitLab Release).

The vulnerability has been assigned a CVSS v3.1 Base Score of 3.7 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N. This indicates that the vulnerability requires network access, has high attack complexity, needs low privileges, requires user interaction, has an unchanged scope, and can result in low confidentiality and integrity impacts with no availability impact (NVD).

The vulnerability can lead to unauthorized execution of quick actions when an authenticated attacker includes malicious commands in specific descriptions. The impact is considered low, with potential for minor confidentiality and integrity breaches (GitLab Release).

GitLab has released patches to address this vulnerability in versions 18.3.5, 18.4.3, and 18.5.1. Organizations running affected versions are strongly recommended to upgrade to the latest patched version immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Release).

The vulnerability was discovered internally by GitLab team member Eva Kadlecová. Ubuntu has noted that GitLab is no longer maintainable as a distribution package and has been removed from their repositories (Ubuntu Security).