CVE-2025-4972

An issue has been discovered in GitLab EE affecting all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2 that could have allowed authenticated users with invitation privileges to bypass group-level user invitation restrictions by manipulating group invitation functionality.

CVSS v3 2.7 LOW

2.7^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/543816	Broken Link
https://hackerone.com/reports/3148693	Permissions Required

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

History

25 Jul 2025, 16:40

Type	Values Removed	Values Added
Summary		(es) Se ha descubierto un problema en GitLab EE que afecta a todas las versiones desde la 18.0 anterior a la 18.0.4 y desde la 18.1 anterior a la 18.1.2 que podría haber permitido a usuarios autenticados con privilegios de invitación eludir las restricciones de invitación de usuarios a nivel de grupo manipulando la funcionalidad de invitación de grupo.
First Time		Gitlab gitlab Gitlab
References	~~() https://gitlab.com/gitlab-org/gitlab/-/issues/543816 -~~	() https://gitlab.com/gitlab-org/gitlab/-/issues/543816 - Broken Link
References	~~() https://hackerone.com/reports/3148693 -~~	() https://hackerone.com/reports/3148693 - Permissions Required
CPE		cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

10 Jul 2025, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-10 09:15

Updated : 2025-07-25 16:40

NVD link : CVE-2025-4972

Mitre link : CVE-2025-4972

CVE.ORG link : CVE-2025-4972

JSON object : View

Products Affected

gitlab

gitlab

CWE

CWE-863

Incorrect Authorization

2.7 /10