CVE-2025-2246
📋 TL;DR
This vulnerability allows unauthenticated attackers to access sensitive CI/CD variables through GitLab's GraphQL API. It affects all GitLab CE/EE instances running vulnerable versions. Attackers can steal credentials, tokens, and other secrets stored in manual CI/CD variables.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of CI/CD pipelines, credential theft leading to lateral movement, and potential supply chain attacks through stolen deployment secrets.
Likely Case
Exfiltration of sensitive CI/CD variables containing API keys, passwords, or deployment tokens that could be used for unauthorized access to other systems.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external attackers from reaching the GitLab instance.
🎯 Exploit Status
Exploitation requires only unauthenticated GraphQL API access. The vulnerability is well-documented in public reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.1.5, 18.2.5, or 18.3.1
Vendor Advisory: https://gitlab.com/gitlab-org/gitlab/-/issues/524592
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab 18.1.5, 18.2.5, or 18.3.1 using your package manager. 3. Restart GitLab services. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict GraphQL API Access
allBlock unauthenticated access to the GraphQL API endpoint using network controls or web application firewall rules.
# Example nginx config to block /api/graphql for unauthenticated users
location /api/graphql {
deny all;
# Or implement authentication requirement
}
🧯 If You Can't Patch
- Implement strict network access controls to limit GitLab instance exposure to only trusted networks.
- Review and rotate all manual CI/CD variables, especially those containing sensitive credentials or secrets.
🔍 How to Verify
Check if Vulnerable:
Check GitLab version via admin interface or command: sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Check Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Verify Fix Applied:
Confirm version is 18.1.5, 18.2.5, or 18.3.1 or higher. Test unauthenticated GraphQL queries to manual CI/CD variables should return access denied.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated GraphQL queries to CI/CD variables in application logs
- Multiple failed authentication attempts followed by GraphQL API access
Network Indicators:
- Unusual GraphQL query patterns from unauthenticated IP addresses
- Traffic to /api/graphql endpoint without authentication headers
SIEM Query:
source="gitlab" AND ("GraphQL" OR "/api/graphql") AND NOT (authenticated_user_id=* OR user_id=*)