CVE-2025-11984
📋 TL;DR
This vulnerability allows authenticated users to bypass WebAuthn two-factor authentication in GitLab by manipulating session state. It affects GitLab Community Edition and Enterprise Edition installations running vulnerable versions. Attackers could gain unauthorized access to accounts protected by WebAuthn 2FA.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Attackers bypass 2FA on administrator accounts, gaining full control over GitLab instances, accessing source code, CI/CD pipelines, and sensitive data.
Likely Case
Attackers bypass 2FA on developer accounts to access repositories, steal intellectual property, or inject malicious code into projects.
If Mitigated
With proper network segmentation and monitoring, impact is limited to unauthorized access to individual accounts, which can be detected and contained.
🎯 Exploit Status
Requires authenticated access and knowledge of session manipulation techniques. No public exploit code available at disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.4.6, 18.5.4, 18.6.2
Vendor Advisory: https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/
Restart Required: Yes
Instructions:
1. Backup GitLab instance. 2. Update to patched version using package manager (apt/yum) or Omnibus installer. 3. Restart GitLab services. 4. Verify update completed successfully.
🔧 Temporary Workarounds
Disable WebAuthn 2FA
linuxTemporarily disable WebAuthn two-factor authentication until patching is complete
sudo gitlab-rails runner "ApplicationSetting.current.update!(webauthn_enabled: false)"
Require additional authentication factors
allImplement additional authentication controls like IP restrictions or session timeouts
🧯 If You Can't Patch
- Implement strict network access controls to limit GitLab access to trusted networks only
- Enable enhanced logging and monitoring for authentication events and session anomalies
🔍 How to Verify
Check if Vulnerable:
Check GitLab version: if running 13.1-18.4.5, 18.5-18.5.3, or 18.6-18.6.1 with WebAuthn enabled, system is vulnerable.Check Version:
sudo gitlab-rake gitlab:env:info | grep 'Version:'Verify Fix Applied:
Verify GitLab version is 18.4.6, 18.5.4, or 18.6.2 or higher. Test WebAuthn 2FA functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns
- Multiple failed 2FA attempts followed by successful login
- Session manipulation attempts in application logs
Network Indicators:
- Unusual authentication traffic patterns
- Requests bypassing expected 2FA flow
SIEM Query:
source="gitlab" AND (event="authentication" OR event="session") AND status="success" AND webauthn="bypassed"