CVE-2025-4979: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. The vulnerability allows an attacker to reveal masked or hidden CI variables (that they did not author) in the WebUI, by simply creating their own variable and observing the HTTP response. This vulnerability was discovered internally by a GitLab team member (GitLab Patch, MITRE).

The vulnerability has been assigned CVE-2025-4979 and is classified under CWE-1220 (Insufficient Granularity of Access Control). It has received a CVSS v3.1 base score of 4.9 (Medium) with the vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. The issue specifically relates to information disclosure in the GitLab WebUI's variable handling system (Wiz, NVD).

The vulnerability enables authenticated users to expose sensitive CI/CD variables such as API keys and deployment tokens that they should not have access to. This information disclosure could potentially lead to unauthorized access to resources or systems protected by these credentials (Wiz).

GitLab has released patches in versions 18.0.1, 17.11.3, and 17.10.7 to address this vulnerability. Organizations are strongly recommended to upgrade to these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Patch).