CVE-2025-9825
📋 TL;DR
This vulnerability allows authenticated GitLab users without project membership to view sensitive manual CI/CD variables via GraphQL API queries. It affects GitLab CE/EE installations running vulnerable versions. Attackers could access credentials, tokens, or other secrets stored in these variables.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain production credentials, API tokens, or deployment secrets leading to data breaches, unauthorized deployments, or lateral movement within infrastructure.
Likely Case
Internal users or compromised accounts access sensitive variables from projects they shouldn't have access to, potentially exposing development secrets.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized viewing of some variables without ability to modify or use them.
🎯 Exploit Status
Exploitation requires valid GitLab credentials and knowledge of GraphQL queries. No public exploit code available yet.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.2.9, 18.3.4, 18.4.2 or later
Vendor Advisory: https://about.gitlab.com/releases/2025/10/08/patch-release-gitlab-18-4-2-released/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab 18.2.9, 18.3.4, or 18.4.2+. 3. Restart GitLab services. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict GraphQL API Access
linuxLimit GraphQL API access to trusted users only via firewall rules or GitLab configuration.
# Configure firewall to restrict GraphQL endpoint access
iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disable GraphQL API
linuxTemporarily disable GraphQL API if not required for operations.
# Edit gitlab.rb configuration
gitlab_rails['gitlab_api_enabled'] = false
# Reconfigure GitLab
gitlab-ctl reconfigure
🧯 If You Can't Patch
- Implement strict access controls and monitor for unusual GraphQL queries
- Rotate all CI/CD variables and secrets stored in vulnerable GitLab instances
🔍 How to Verify
Check if Vulnerable:
Check GitLab version via admin interface or command: sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Check Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Verify Fix Applied:
Verify version is 18.2.9+, 18.3.4+, or 18.4.2+ and test that non-member users cannot access manual CI/CD variables via GraphQL.📡 Detection & Monitoring
Log Indicators:
- Unusual GraphQL queries for CI/CD variables from non-project members
- Multiple failed authorization attempts followed by successful variable queries
Network Indicators:
- GraphQL API requests to /api/graphql endpoint from unauthorized sources
- Unusual patterns of variable-related queries
SIEM Query:
source="gitlab" AND (query="variables" OR query="ciCd") AND user_role!="project_member"