CVE-2025-5101: 
GitLab vulnerability analysis and mitigation

A code injection vulnerability (CVE-2025-5101) was discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1. The vulnerability was disclosed on August 27, 2025, and affects both Community Edition (CE) and Enterprise Edition (EE) versions of GitLab (GitLab Release, NVD).

The vulnerability allows authenticated attackers to exploit ambiguity between branches and tags during repository imports, potentially enabling the distribution of malicious code that appears harmless in the web interface. The vulnerability has been assigned a CVSS v3.1 base score of 5.0 (Medium) with the vector string CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N. The weakness has been categorized as CWE-94 (Improper Control of Generation of Code) (NVD).

The vulnerability could allow authenticated attackers to inject and distribute malicious code through GitLab repositories. The code could appear benign in the web interface while containing harmful content, potentially leading to code execution or other security implications for users interacting with the affected repositories (GitLab Release).

GitLab has released patches in versions 18.1.5, 18.2.5, and 18.3.1 to address this vulnerability. Organizations running affected versions are strongly recommended to upgrade to the latest patched version immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take any action (GitLab Release).