CVE-2025-7000: 
GitLab vulnerability analysis and mitigation

GitLab has identified an Information Disclosure vulnerability (CVE-2025-7000) affecting GitLab Community Edition (CE) and Enterprise Edition (EE). The vulnerability was discovered through GitLab's HackerOne bug bounty program by researcher weasterhacker. The affected versions include all GitLab CE/EE versions from 17.6 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 (GitLab Release).

Under specific conditions, the vulnerability could allow unauthorized users to view confidential branch names by accessing project issues with related merge requests. The vulnerability has been assigned a CVSS v3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility, low attack complexity, and required low privileges (GitLab Release).

The vulnerability allows unauthorized access to confidential branch names through project issues that have related merge requests, potentially exposing sensitive information about private repository structures and development workflows (GitLab Release).

GitLab has released patches in versions 18.5.2, 18.4.4, and 18.3.6 to address this vulnerability. Users are strongly recommended to upgrade to these patched versions immediately. GitLab.com has already been updated with the fix, and GitLab Dedicated customers do not need to take any action (GitLab Release).