CVE-2025-11989: 
GitLab vulnerability analysis and mitigation

A missing authorization vulnerability (CVE-2025-11989) was discovered in GitLab Enterprise Edition (EE) affecting versions from 17.6.0 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1. The vulnerability was internally discovered by GitLab team member Eva Kadlecová and disclosed on October 22, 2025 (GitLab Release, NVD).

The vulnerability allows authenticated users to execute unauthorized quick actions by including malicious commands in specific descriptions. The issue has been assigned a CVSS v3.1 base score of 3.7 (Low) by GitLab with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N, while NVD assessed it with a higher score of 8.1 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. The vulnerability is classified under CWE-862 (Missing Authorization) (NVD).

The vulnerability could allow authenticated attackers to execute unauthorized quick actions in GitLab EE, potentially leading to unauthorized command execution through specially crafted descriptions (GitLab Release).

GitLab has released patches in versions 18.3.5, 18.4.3, and 18.5.1 to address this vulnerability. Users are strongly recommended to upgrade to these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Release).