CVE-2025-11984 — Authentication Bypass Using an Alternate Path or Channel in Gitlab

CWE-288 — Authentication Bypass Using an Alternate Path or Channel CWE-120 — Classic Buffer Overflow7 documents7 sources

Severity

6.8MEDIUMNVD

EPSS

0.0%

top 88.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE +1 more

Timeline

PublishedDec 11

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain conditions.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.6 | Impact: 5.2

Affected Packages6 packages

▶CVEListV5gitlab/gitlab13.1 — 18.4.6+2

▶NVDgitlab/gitlab13.1.0 — 18.4.6+2

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

GHSA

GHSA-m766-xfqm-qm37: GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13↗2025-12-11

▶

OSV

CVE-2025-11984: GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13↗2025-12-11

▶

📋Vendor Advisories

GitLab

CVE-2025-11984: GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could h↗2025-12-11

▶

Debian

CVE-2025-11984: gitlab - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 ...↗2025

▶

Microsoft

Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE↗2020-08-11

▶

🕵️Threat Intelligence

Wiz

CVE-2025-11984 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶