CVE-2025-11340 Overview
CVE-2025-11340 is an authorization flaw in GitLab Enterprise Edition (EE) that allows authenticated users holding read-only API tokens to perform unauthorized write operations against vulnerability records. The defect lives in incorrectly scoped GraphQL mutations, which fail to honor the read-only constraint imposed on the calling token. The issue affects GitLab EE versions 18.3 through 18.3.4 and 18.4 through 18.4.2. GitLab released patched builds on October 8, 2025. The weakness is categorized under CWE-863: Incorrect Authorization.
Critical Impact
An attacker with a low-privilege, read-only personal access token can alter, dismiss, or otherwise tamper with security vulnerability records, undermining the integrity of GitLab's vulnerability management workflow.
Affected Products
- GitLab Enterprise Edition 18.3 through 18.3.4
- GitLab Enterprise Edition 18.4 through 18.4.2
- Self-managed GitLab EE instances exposing the GraphQL API
Discovery Timeline
- 2025-10-08 - GitLab releases patched versions 18.3.5 and 18.4.2
- 2025-10-09 - CVE-2025-11340 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-11340
Vulnerability Analysis
The vulnerability stems from improper scoping of GraphQL mutation resolvers in GitLab EE's vulnerability management subsystem. GitLab personal access tokens support granular scopes such as read_api, which should restrict the token to read-only GraphQL queries and REST GET operations. The affected mutations did not verify whether the active token carried a write-capable scope before executing state-changing operations on Vulnerability objects.
As a result, an authenticated user can submit GraphQL mutations that modify vulnerability records, even when their token is provisioned solely with read-only scopes. The attack requires only network access to the GitLab GraphQL endpoint and a valid low-privilege token, with no user interaction. Because the impact crosses a security boundary (token scope), the scope metric is marked as changed.
Root Cause
The root cause is missing authorization enforcement at the GraphQL mutation layer. Authorization checks were performed for user permissions on the target object but did not validate the token scope. This is a classic [CWE-863] incorrect authorization defect where one component of the access control decision was omitted from a code path that bypassed central scope validation.
Attack Vector
Exploitation requires the attacker to possess a valid GitLab account with at least Developer-level access to a project containing vulnerability records and a personal access token limited to read_api or similar read-only scope. The attacker then issues a GraphQL mutation against the GitLab API endpoint targeting vulnerability resources. The server processes the mutation despite the token scope mismatch, persisting unauthorized changes such as state transitions, dismissals, or confirmations on vulnerability findings. No verified proof-of-concept code is publicly available. See GitLab Issue #567847 Discussion for additional technical context.
Detection Methods for CVE-2025-11340
Indicators of Compromise
- Unexpected state transitions on Vulnerability records (for example, dismissed, resolved, or confirmed) attributed to user accounts that should not have write permission to the vulnerability management feature.
- GraphQL mutation requests in production_json.log referencing operations such as vulnerabilityDismiss, vulnerabilityConfirm, or vulnerabilityResolve paired with tokens scoped read_api.
- API access logs showing the same low-privilege token issuing both read queries and mutation operations against /api/graphql.
Detection Strategies
- Correlate GitLab audit events for vulnerability record changes with the issuing token's scope metadata, flagging any mutation performed by a read-only token.
- Baseline normal GraphQL mutation volume per user and alert on deviations targeting the vulnerability schema.
- Review GitLab audit_events for vulnerability_state_changed actions originating from accounts that do not normally triage findings.
Monitoring Recommendations
- Forward GitLab application and audit logs to a centralized analytics platform such as Singularity Data Lake for retention and correlation across identity, endpoint, and application telemetry.
- Enable verbose GraphQL request logging on self-managed GitLab instances to capture operation names and token identifiers.
- Monitor personal access token creation and scope changes to identify tokens that may be abused against this defect prior to patching.
How to Mitigate CVE-2025-11340
Immediate Actions Required
- Upgrade GitLab EE to version 18.4.2, 18.3.5, or later as published in the GitLab Patch Release Announcement.
- Audit all personal access tokens with read-only scopes and rotate any tokens suspected of misuse during the exposure window.
- Review vulnerability records modified between the introduction of GitLab 18.3 and the date of patching, reverting any unauthorized state changes.
Patch Information
GitLab addressed the issue in the October 8, 2025 patch release. Self-managed administrators should apply GitLab EE 18.4.2 or 18.3.5. GitLab.com SaaS tenants received the fix as part of the standard deployment pipeline. Refer to the GitLab Patch Release Announcement for upgrade procedures and integrity checksums.
Workarounds
- Restrict network access to the GitLab GraphQL endpoint to trusted operators until the upgrade is completed.
- Disable or revoke read-only personal access tokens that are not strictly required for automation while the patch is being deployed.
- Limit Developer-and-above role assignments on projects that contain sensitive vulnerability data until remediation is verified.
# Example upgrade for a Linux package-based GitLab EE installation
sudo apt-get update
sudo apt-get install gitlab-ee=18.4.2-ee.0
sudo gitlab-ctl reconfigure
sudo gitlab-rake gitlab:check SANITIZE=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
