CVE-2025-6171: 
GitLab vulnerability analysis and mitigation

GitLab has identified an Information Disclosure vulnerability (CVE-2025-6171) affecting GitLab Community Edition (CE) and Enterprise Edition (EE). The vulnerability was discovered in versions from 13.2 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2. This security issue was reported through GitLab's HackerOne bug bounty program by researcher iamgk808 (GitLab Patch).

The vulnerability allows authenticated users with reporter access to view branch names and pipeline details through the packages API endpoint, even when repository access is disabled. The severity of this vulnerability has been assessed with a CVSS v3.1 score of 3.1 (Low), with the following vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N (GitLab Patch).

The vulnerability could lead to unauthorized access to sensitive information, specifically branch names and pipeline details, potentially exposing internal project information to users who should not have access to this data (GitLab Patch).

GitLab has released patches in versions 18.5.2, 18.4.4, and 18.3.6 to address this vulnerability. Organizations are strongly recommended to upgrade to these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take any action (GitLab Patch).