CVE-2025-9825: 
GitLab vulnerability analysis and mitigation

GitLab has identified and remediated a security vulnerability (CVE-2025-9825) affecting GitLab CE/EE versions from 13.7 to 18.2.8, 18.3 before 18.3.4, and 18.4 before 18.4.2. The vulnerability allowed authenticated users without project membership to access sensitive manual CI/CD variables through the GraphQL API (GitLab Release, NVD).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 score of 5.0 (Medium), and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N. The issue specifically involves unauthorized access to manual CI/CD variables through GraphQL API queries, affecting both Community Edition (CE) and Enterprise Edition (EE) versions (GitLab Release).

The vulnerability allows authenticated users who do not have project membership to view sensitive manual CI/CD variables, potentially exposing confidential configuration data. The impact is limited to data confidentiality, with no direct impact on system integrity or availability (GitLab Release).

GitLab has released patches in versions 18.4.2, 18.3.4, and 18.2.8. Organizations are strongly recommended to upgrade to these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Release).

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by researcher joaxcar. Ubuntu has noted that they will not be fixing this issue in their packaged version as GitLab is no longer maintainable as a distro package (Ubuntu Security).