CVE-2025-11865
📋 TL;DR
This vulnerability in GitLab EE allows an attacker to remove Duo two-factor authentication flows of another user under certain circumstances. It affects GitLab EE versions 18.1-18.3.5, 18.4-18.4.3, and 18.5-18.5.1. This could potentially weaken the security posture of affected users by disabling their 2FA protection.
💻 Affected Systems
- GitLab EE
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
An attacker could disable Duo 2FA for privileged users, potentially enabling account takeover and lateral movement within the GitLab instance.
Likely Case
Targeted attacks against specific users to disable their 2FA, potentially as part of a multi-stage attack to compromise accounts.
If Mitigated
Limited impact if proper access controls, monitoring, and backup authentication methods are in place.
🎯 Exploit Status
Requires specific circumstances and likely some level of access to the GitLab instance. The CWE-863 (Incorrect Authorization) suggests authorization bypass issues.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.3.6, 18.4.4, or 18.5.2
Vendor Advisory: https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab EE 18.3.6, 18.4.4, or 18.5.2 depending on your current version. 3. Restart GitLab services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable Duo Authentication
allTemporarily disable Duo two-factor authentication until patching can be completed
Edit GitLab configuration to disable Duo authentication
Restrict User Permissions
allReview and tighten user permissions to limit who can modify authentication settings
🧯 If You Can't Patch
- Implement strict access controls and monitor for unauthorized authentication changes
- Enable additional logging for authentication events and review regularly
🔍 How to Verify
Check if Vulnerable:
Check GitLab version with: sudo gitlab-rake gitlab:env:info | grep 'Version:'Check Version:
sudo gitlab-rake gitlab:env:info | grep 'Version:'Verify Fix Applied:
Verify version is 18.3.6, 18.4.4, or 18.5.2 or higher📡 Detection & Monitoring
Log Indicators:
- Unauthorized modifications to Duo authentication settings
- Unexpected removal of 2FA for users
Network Indicators:
- Unusual authentication pattern changes
SIEM Query:
source="gitlab" AND (event="duo_removed" OR event="2fa_disabled")