CVE-2025-2615: 
GitLab vulnerability analysis and mitigation

GitLab has identified a security vulnerability (CVE-2025-2615) affecting GitLab CE/EE versions from 16.7 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2. The vulnerability could allow blocked users to access sensitive information by establishing GraphQL subscriptions through WebSocket connections (GitLab Release, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The issue is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data) and specifically involves the exploitation of GraphQL subscriptions through WebSocket connections to bypass user blocking restrictions (GitLab Release).

The vulnerability allows blocked users to bypass access restrictions and obtain sensitive information through GraphQL subscriptions via WebSocket connections. The impact is limited to information disclosure without any ability to modify data or affect system availability (GitLab Release).

GitLab has released patches in versions 18.3.6, 18.4.4, and 18.5.2 to address this vulnerability. Users are strongly recommended to upgrade to these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take any action (GitLab Release).

The vulnerability was discovered and reported through GitLab's HackerOne bug bounty program by security researcher 'rogerace', demonstrating the effectiveness of GitLab's security research collaboration efforts (GitLab Release).