CVE-2025-3950
📋 TL;DR
This vulnerability in GitLab allows authenticated users to bypass asset proxy protection by referencing specially crafted images, potentially leaking sensitive information. It affects all GitLab CE/EE instances running vulnerable versions. The impact is limited to information disclosure rather than system compromise.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could leak sensitive information such as internal asset URLs, configuration details, or other protected resources that should be proxied through GitLab's asset proxy.
Likely Case
An authenticated user could bypass asset proxy protections to access images or assets that should be restricted, potentially revealing internal network information or bypassing content controls.
If Mitigated
With proper access controls and network segmentation, the impact is limited to information disclosure within the authenticated user's privilege level.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of crafting specific image references to bypass proxy protections.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.5.5, 18.6.3, or 18.7.1
Vendor Advisory: https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance and database. 2. Update to GitLab 18.5.5, 18.6.3, or 18.7.1 depending on your current version. 3. Restart GitLab services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable asset proxy
linuxTemporarily disable GitLab's asset proxy feature to prevent exploitation
Edit gitlab.rb: gitlab_rails['asset_proxy_enabled'] = false
Reconfigure: gitlab-ctl reconfigure
🧯 If You Can't Patch
- Restrict authenticated user access to only trusted individuals
- Implement network segmentation to limit what information can be leaked through asset proxy bypass
🔍 How to Verify
Check if Vulnerable:
Check GitLab version with: sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Check Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Verify Fix Applied:
Verify version is 18.5.5, 18.6.3, or 18.7.1 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual asset proxy bypass attempts
- Requests for specially crafted image URLs that bypass normal proxy patterns
Network Indicators:
- Direct asset requests bypassing GitLab proxy
- Unusual image reference patterns in HTTP requests
SIEM Query:
source="gitlab" AND (asset_proxy_bypass OR image_reference_anomaly)