CVE-2025-5121: 
GitLab vulnerability analysis and mitigation

A missing authorization vulnerability (CVE-2025-5121) was discovered in GitLab Ultimate EE affecting versions from 17.11 before 17.11.4 and 18.0 before 18.0.2. The vulnerability was reported through GitLab's HackerOne bug bounty program by researcher jean_d-ou and was disclosed on June 20, 2025. The issue impacts GitLab Ultimate Enterprise Edition installations with a GitLab Ultimate license applied (paid customer or trial) (GitLab Release, NVD).

The vulnerability stems from a missing authorization check that could allow authenticated users with access to a GitLab instance to inject malicious CI/CD jobs into all future CI/CD pipelines of any project. The vulnerability has been assigned a CVSS v3.1 base score of 8.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating network accessibility, high attack complexity, low privileges required, and potential for high impacts on confidentiality, integrity, and availability (GitLab Release).

The vulnerability could allow an authenticated attacker to inject malicious CI/CD jobs into all future CI/CD pipelines of any project within a GitLab Ultimate instance. This could lead to unauthorized code execution, data breaches, and potential system compromise (Wiz).

GitLab has released patches in versions 17.11.4 and 18.0.2 to address this vulnerability. Users are strongly recommended to upgrade to these versions immediately. GitLab.com has already been updated with the patched version, and GitLab Dedicated customers do not need to take any action (GitLab Release).