CVE-2025-1278: 
GitLab vulnerability analysis and mitigation

A security vulnerability (CVE-2025-1278) was discovered in GitLab CE/EE affecting all versions from 12.0 before 17.9.8, 17.10 before 17.10.6, and 17.11 before 17.11.2. The vulnerability was disclosed on May 9, 2025, and allows users to bypass IP access restrictions under certain conditions, potentially exposing sensitive information (NVD, GitLab Release).

The vulnerability is classified with a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The weakness is categorized as CWE-1220 (Insufficient Granularity of Access Control). The technical nature of the vulnerability involves the ability to bypass group IP access restrictions, specifically allowing unauthorized access to view issue titles of restricted projects (NVD, Wiz).

The vulnerability enables unauthorized users to bypass IP access restrictions of a group, potentially leading to the disclosure of sensitive information, specifically issue titles of restricted projects. This represents a confidentiality breach in GitLab's security model (GitLab Release).

GitLab has addressed this vulnerability in versions 17.9.8, 17.10.6, and 17.11.2. Organizations running affected versions are strongly recommended to upgrade to these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take any action (GitLab Release).

The vulnerability has been acknowledged by various Linux distributions, with Ubuntu noting that GitLab is no longer maintained as a distribution package due to maintainability concerns. Debian's security tracker has marked the package as vulnerable in their sid release (Wiz).