CVE-2025-2615
📋 TL;DR
This vulnerability allows blocked GitLab users to access sensitive information by establishing GraphQL subscriptions through WebSocket connections. It affects GitLab CE/EE installations running vulnerable versions, potentially exposing confidential data to unauthorized users.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Blocked users could access sensitive information including private repositories, user data, or internal project details they should be restricted from viewing.
Likely Case
Blocked users with existing WebSocket connections could maintain access to GraphQL subscription data they should have lost access to after being blocked.
If Mitigated
With proper access controls and monitoring, impact is limited to potential information disclosure to blocked users who maintain active WebSocket sessions.
🎯 Exploit Status
Exploitation requires a previously authenticated user who gets blocked while maintaining WebSocket connections.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.3.6, 18.4.4, or 18.5.2
Vendor Advisory: https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab 18.3.6, 18.4.4, or 18.5.2 depending on your current version. 3. Restart GitLab services. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable GraphQL WebSocket subscriptions
allTemporarily disable GraphQL subscriptions over WebSocket connections to prevent exploitation
Edit GitLab configuration to disable GraphQL subscriptions feature
Terminate active WebSocket connections
allForce close existing WebSocket connections when users are blocked
Implement connection termination scripts or modify user blocking procedures
🧯 If You Can't Patch
- Monitor and terminate WebSocket connections for blocked users
- Implement additional access controls and monitoring for GraphQL endpoints
🔍 How to Verify
Check if Vulnerable:
Check GitLab version against affected ranges: 16.7-18.3.5, 18.4-18.4.3, or 18.5-18.5.1Check Version:
sudo gitlab-rake gitlab:env:info | grep 'Version:'Verify Fix Applied:
Confirm GitLab version is 18.3.6, 18.4.4, or 18.5.2 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual GraphQL subscription activity from blocked users
- WebSocket connections persisting after user blocking
Network Indicators:
- Sustained WebSocket connections from blocked user accounts
- GraphQL subscription traffic from unauthorized sources
SIEM Query:
source="gitlab" AND (user_status="blocked" AND protocol="websocket")