CVE-2025-3950 — Exposure of Private Personal Information to an Unauthorized Actor in Gitlab

CWE-359 — Exposure of Private Personal Information to an Unauthorized Actor6 documents6 sources

Severity

3.5LOWNVD

EPSS

0.0%

top 96.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab Gitlab CE

Timeline

PublishedJan 9

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:NExploitability: 2.1 | Impact: 1.4

Affected Packages5 packages

▶CVEListV5gitlab/gitlab10.3 — 18.5.5+2

▶NVDgitlab/gitlab10.3.0 — 18.5.5+2

▶debiandebian/gitlab

▶gitlabgitlab/gitlab

▶gitlabgitlab/gitlab_ce

🔴Vulnerability Details

OSV

CVE-2025-3950: GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10↗2026-01-09

▶

GHSA

GHSA-6mpj-fw9g-9wqm: GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10↗2026-01-09

▶

📋Vendor Advisories

GitLab

CVE-2025-3950: GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could h↗2026-01-09

▶

Debian

CVE-2025-3950: gitlab - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 ...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-3950 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶