CVE-2025-6454: 
GitLab vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was discovered in GitLab CE/EE, identified as CVE-2025-6454. The vulnerability affects all versions from 16.11 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2. This security issue could allow authenticated users to make unintended internal requests through proxy environments by injecting crafted sequences (GitLab Release, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.5 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H. The vulnerability is classified as CWE-918 (Server-Side Request Forgery) and specifically affects the webhook custom header functionality in GitLab (GitLab Release).

The vulnerability poses significant security risks as it allows authenticated users to perform server-side request forgery attacks, potentially leading to unauthorized access to internal resources and systems through proxy environments. The high CVSS score of 8.5 indicates severe potential impacts on confidentiality, integrity, and availability of the affected systems (GitLab Release).

GitLab has released patches to address this vulnerability in versions 18.1.6, 18.2.6, and 18.3.2. Organizations running affected versions are strongly recommended to upgrade to the latest patched version immediately. GitLab.com has already been updated with the security fix, and GitLab Dedicated customers do not need to take any action (GitLab Release).

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by security researcher 'ppee'. GitLab has acknowledged and addressed the vulnerability promptly through their scheduled security release process (GitLab Release).