CVE-2025-12506 Overview
CVE-2025-12506 affects GitLab Community Edition (CE) and Enterprise Edition (EE) across multiple release branches. The vulnerability stems from improper handling of Git reference name resolution [CWE-706]. Under certain conditions, an authenticated user can create a repository where content displayed in the web interface differs from the content available for download. This mismatch enables a content spoofing scenario that could mislead collaborators reviewing code through the GitLab UI. The issue affects all versions from 16.5 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2. GitLab remediated the flaw in patch releases across supported branches.
Critical Impact
An authenticated attacker can present benign-looking source in the web UI while shipping different content to users who clone or download the repository, undermining code review trust.
Affected Products
- GitLab CE/EE versions 16.5 up to (but not including) 18.11.7
- GitLab CE/EE versions 19.0 up to (but not including) 19.0.4
- GitLab CE/EE versions 19.1 up to (but not including) 19.1.2
Discovery Timeline
- 2026-07-08 - CVE-2025-12506 published to NVD
- 2026-07-08 - Last updated in NVD database
- Reported through the HackerOne Report #3351460
Technical Details for CVE-2025-12506
Vulnerability Analysis
The vulnerability resides in how GitLab resolves Git reference names when rendering repository content. Git allows references such as branches and tags to be identified by names that, in certain edge cases, can resolve to different underlying objects depending on the resolution path taken. GitLab's web interface and its download or clone path used inconsistent resolution logic. As a result, the commit or tree shown to a reviewer in the browser did not always match the commit served when the same reference was fetched over Git protocols. This inconsistency creates a content spoofing primitive tied to repository trust, and it is classified under [CWE-706] (Use of Incorrectly-Resolved Name or Reference). Exploitation requires an authenticated account with permission to create or manipulate a repository, and it requires user interaction from a victim who consumes the deceptive content. See the GitLab Patch Release Advisory for vendor details.
Root Cause
GitLab's reference name handling did not enforce a single, canonical resolution across the web display pipeline and the Git object delivery pipeline. When two components resolve the same reference name differently, the UI can display object A while clients receive object B.
Attack Vector
An authenticated user crafts a repository containing ambiguous or specially named Git references. The attacker shares the repository URL with a target. The victim reviews the code in the GitLab web interface and sees content that appears trustworthy. When the victim clones or downloads the same reference, Git delivers a different object, potentially containing modifications the reviewer never observed. See the GitLab Work Item Details for tracking information.
No verified proof-of-concept code is publicly available.
Refer to the vendor advisory for technical details on the
reference name resolution flaw.
Detection Methods for CVE-2025-12506
Indicators of Compromise
- Repositories containing Git references with unusual, ambiguous, or non-canonical names created shortly before shared review activity.
- Discrepancies between commit SHAs observed in GitLab UI links and those returned by git ls-remote or git fetch for the same reference.
- Audit log entries showing repository creation followed by rapid reference manipulation by the same authenticated user.
Detection Strategies
- Compare object hashes displayed on GitLab repository pages against hashes retrieved via authenticated Git protocol requests for the same references.
- Review GitLab audit events for reference create, update, and delete operations on repositories used in code review workflows.
- Flag repositories where reference names deviate from organizational naming conventions or contain characters that trigger non-standard Git resolution.
Monitoring Recommendations
- Enable and centralize GitLab application and audit logs, ingesting them into a security analytics platform for correlation.
- Alert on repository creation events by newly onboarded or low-reputation accounts followed by external collaborator invitations.
- Track download and clone activity volume against web view activity to surface anomalies tied to individual references.
How to Mitigate CVE-2025-12506
Immediate Actions Required
- Upgrade GitLab CE/EE to version 18.11.7, 19.0.4, or 19.1.2 depending on the deployed branch.
- Inventory self-managed GitLab instances and confirm the running version against the fixed releases.
- Restrict repository creation permissions to trusted users until the upgrade completes.
Patch Information
GitLab released fixes in versions 18.11.7, 19.0.4, and 19.1.2. Administrators should apply the patch that corresponds to their release branch. Full details are available in the GitLab Patch Release Advisory.
Workarounds
- Limit repository creation and reference push permissions to reviewed, trusted accounts.
- Require code reviewers to verify commit SHAs by cloning or fetching references rather than relying solely on the web UI.
- Enforce protected branch and protected tag rules to reduce the surface for reference manipulation.
# Verify installed GitLab version on a self-managed instance
sudo gitlab-rake gitlab:env:info | grep -i version
# Compare a reference between the web UI and Git protocol
git ls-remote https://gitlab.example.com/group/project.git refs/heads/main
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

