CVE-2025-11340 – This vulnerability in GitLab EE allows authenti... (How to Fix)

Q: What is the severity of CVE-2025-11340?

CVE-2025-11340 has a CVSS score of 7.7 (HIGH). This vulnerability in GitLab EE allows authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records by exploiting incorrectly scoped GraphQL mutations. It affects GitLab EE versions 18.3 to 18.3.4 and 18.4 to 18.4.2. Attackers could modify vulnerability data, potentially hiding security issues or creating false positives.

📋 TL;DR

This vulnerability in GitLab EE allows authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records by exploiting incorrectly scoped GraphQL mutations. It affects GitLab EE versions 18.3 to 18.3.4 and 18.4 to 18.4.2. Attackers could modify vulnerability data, potentially hiding security issues or creating false positives.

💻 Affected Systems

Products:

GitLab EE

Versions: 18.3 to 18.3.4, 18.4 to 18.4.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects GitLab Enterprise Edition (EE). Requires authenticated users with read-only API tokens. Community Edition (CE) is not affected.

📦 What is this software?

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could delete or modify vulnerability records to hide critical security issues from security teams, allowing known vulnerabilities to remain unpatched while creating false confidence in security posture.

🟠

Likely Case

Malicious insiders or compromised accounts with read-only tokens could tamper with vulnerability data, disrupting security workflows and potentially hiding moderate-severity vulnerabilities.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to data integrity issues within vulnerability records that can be detected and corrected.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access with read-only API tokens and knowledge of GraphQL mutations. No public exploit code has been released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 18.3.5, 18.4.3, or later

Vendor Advisory: https://about.gitlab.com/releases/2025/10/08/patch-release-gitlab-18-4-2-released/

Restart Required: Yes

Instructions:

1. Backup your GitLab instance. 2. Update to GitLab EE 18.3.5, 18.4.3, or later. 3. Restart GitLab services. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Restrict API Token Permissions

all

Temporarily restrict or revoke read-only API tokens until patching can be completed.

Navigate to User Settings > Access Tokens and review/revoke unnecessary tokens

Monitor GraphQL Mutations

all

Implement monitoring for unauthorized GraphQL mutation attempts on vulnerability endpoints.

Review GitLab logs for GraphQL mutation attempts from read-only tokens

🧯 If You Can't Patch

Review and restrict all read-only API token permissions to minimum necessary access
Implement enhanced monitoring for GraphQL mutation operations on vulnerability records

🔍 How to Verify

Check if Vulnerable:

Check GitLab version via Admin Area > Overview or run: sudo gitlab-rake gitlab:env:info | grep 'GitLab version'

Check Version:

sudo gitlab-rake gitlab:env:info | grep 'GitLab version'

Verify Fix Applied:

Verify version is 18.3.5, 18.4.3, or later using the same command and test that read-only tokens cannot modify vulnerability records.

📡 Detection & Monitoring

Log Indicators:

GraphQL mutation attempts from read-only API tokens
Unauthorized write operations on vulnerability records
API token permission escalation attempts

Network Indicators:

Unusual GraphQL mutation patterns to vulnerability endpoints
API requests from read-only tokens performing write operations

SIEM Query:

source="gitlab" AND ("GraphQL mutation" OR "vulnerability") AND ("write" OR "modify" OR "delete") AND token_type="read_only"

📊 Metadata

CVE ID: CVE-2025-11340

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

CWE: CWE-863

EPSS Score: 0.02% exploit probability (5.2th percentile)

Published: October 9, 2025

Last Updated: October 20, 2025

🔗 References

https://about.gitlab.com/releases/2025/10/08/patch-release-gitlab-18-4-2-released/ Release Notes,Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/567847 Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11340, you might also want to check these: