CVE-2024-4994 — Cross-Site Request Forgery in Gitlab

CWE-352 — Cross-Site Request Forgery5 documents5 sources

Severity

8.1HIGHNVD

EPSS

0.1%

top 74.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedJun 20

Description

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1.0 before 16.11.5, all versions starting from 17.0 before 17.0.3, all versions starting from 17.1.0 before 17.1.1 which allowed for a CSRF attack on GitLab's GraphQL API leading to the execution of arbitrary GraphQL mutations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages5 packages

▶CVEListV5gitlab/gitlab16.1 — 16.11.5+1

▶NVDgitlab/gitlab16.1.0 — 16.11.5+2

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

OSV

CVE-2024-4994: An issue has been discovered in GitLab CE/EE affecting all versions from 16↗2025-06-20

▶

GHSA

GHSA-44j4-r7x2-mjhj: An issue has been discovered in GitLab CE/EE affecting all versions from 16↗2025-06-20

▶

📋Vendor Advisories

GitLab

CVE-2024-4994: An issue has been discovered in GitLab CE/EE affecting all versions from 16.1.0 before 16.11.5, all versions starting from 17.0 before 17.0.3, all ver↗2025-06-20

▶

Debian

CVE-2024-4994: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions from 16.1.0 ...↗2024

▶