CVE-2025-2408: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab CE/EE affecting all versions from 13.12 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions users could bypass IP access restrictions and view sensitive information (CVE MITRE, NVD).

The vulnerability is classified as a medium severity issue with a CVSS v3.1 base score of 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). The weakness is categorized as CWE-1220 (Insufficient Granularity of Access Control). The vulnerability specifically relates to IP restriction bypass through GraphQL Subscription functionality (GitLab Release).

The vulnerability allows attackers to bypass IP access restrictions, potentially leading to unauthorized access to sensitive information. The impact is primarily focused on confidentiality breaches, with no direct effect on system integrity or availability (NVD).

GitLab has released patches in versions 17.8.7, 17.9.6, and 17.10.4 to address this vulnerability. All affected installations are strongly recommended to upgrade to the latest version immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Release).

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by security researcher rogerace. GitLab has acknowledged and addressed the issue promptly through their regular security patch release cycle (GitLab Release).