cbcvebase.
CVE-2025-5121
published 2025-06-20

CVE-2025-5121: An issue has been discovered in GitLab CE/EE affecting all versions from 17.11 before 17.11.4 and 18.0 before 18.0.2. A missing authorization check may have…

PriorityP264critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
6.53%
92.9th percentile
An issue has been discovered in GitLab CE/EE affecting all versions from 17.11 before 17.11.4 and 18.0 before 18.0.2. A missing authorization check may have allowed compliance frameworks to be applied to projects outside the compliance framework's group.

Affected

7 ranges
VendorProductVersion rangeFixed in
debiangitlab
gitlabgitlab
gitlabgitlab>= 17.11 < 17.11.417.11.4
gitlabgitlab>= 17.11.0 < 17.11.417.11.4
gitlabgitlab>= 18.0 < 18.0.218.0.2
gitlabgitlab>= 18.0.0 < 18.0.218.0.2
gitlabgitlab_ce

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2025-5121 affects GitLab Ultimate EE and allows remote authenticated attackers to inject malicious CI/CD jobs into any project's future CI/CD pipelines via a missing authorization check on compliance frameworks.
  • Exploitation requires authenticated access to a GitLab instance running a GitLab Ultimate license; unauthenticated exploitation is not possible.
  • Vulnerable GitLab versions are 17.11 up to (not including) 17.11.4 and 18.0 up to (not including) 18.0.2; monitor for unpatched self-managed instances running these version ranges.
  • The vulnerability stems from a missing authorization check that may allow compliance frameworks to be applied to projects outside the compliance framework's group — audit logs for unexpected cross-group compliance framework assignments should be reviewed.
  • ·Only GitLab Ultimate EE (Enterprise Edition) instances are exploitable for the CI/CD pipeline injection primitive; CE installations are affected by the compliance framework misapplication but may not expose the full pipeline injection impact.
  • ·GitLab.com (SaaS) is already patched; only self-managed GitLab installations in the affected version ranges require action. GitLab Dedicated customers do not need to take action.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
osv9.9CRITICAL
vendor_debian8.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.