Skip to main content
CVE Vulnerability Database

CVE-2025-4976: GitLab Information Disclosure Vulnerability

CVE-2025-4976 is an information disclosure vulnerability in GitLab EE that allows attackers to access internal notes in GitLab Duo responses. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-4976 Overview

CVE-2025-4976 is an information disclosure vulnerability in GitLab Enterprise Edition (EE). The flaw affects GitLab Duo, the AI-assisted development feature. Under specific circumstances, an attacker can retrieve internal notes through GitLab Duo responses. Internal notes are intended to remain visible only to project members with elevated permissions.

The issue impacts GitLab EE versions 17.0 through 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1. GitLab classifies the finding under [CWE-213] Exposure of Sensitive Information Due to Incompatible Policies. The vulnerability was reported through the HackerOne coordinated disclosure program.

Critical Impact

An unauthenticated network-based attacker can access confidential internal notes surfaced through GitLab Duo AI responses, exposing sensitive project discussions.

Affected Products

  • GitLab Enterprise Edition 17.0 through 18.0.4
  • GitLab Enterprise Edition 18.1 before 18.1.3
  • GitLab Enterprise Edition 18.2 before 18.2.1

Discovery Timeline

  • 2025-07-24 - CVE-2025-4976 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-4976

Vulnerability Analysis

GitLab Duo integrates generative AI into GitLab workflows to summarize issues, merge requests, and discussions. The vulnerability stems from insufficient access control checks when Duo aggregates context for its responses. Duo pulls content from associated resources without consistently enforcing the confidentiality flag on internal notes.

Internal notes are a GitLab feature that restricts comment visibility to project members with at least Reporter role. When Duo generates a response, the affected code paths included internal note content in the model context. This content then surfaced in AI output visible to users who lacked authorization to view the original notes.

The result is a confidentiality boundary violation. The integrity and availability of the system remain unaffected, but sensitive project discussions, security triage details, and internal review comments become readable through the AI interface.

Root Cause

The root cause is inconsistent authorization enforcement between the traditional GitLab UI and the Duo AI context builder. The UI correctly filters internal notes based on user role. The Duo context assembly logic did not apply the same visibility policy before passing note contents to the language model.

Attack Vector

Exploitation requires an attacker with network access to a GitLab instance running the vulnerable Duo integration. The attacker prompts Duo to summarize or discuss an issue, merge request, or epic that contains internal notes. The model output returns text derived from those notes, disclosing information the requesting user should not see. No authentication or user interaction beyond the standard Duo prompt is required in the vulnerable configurations.

No verified public proof-of-concept code is available. Technical details are documented in the GitLab Issue Report and the corresponding HackerOne Security Report.

Detection Methods for CVE-2025-4976

Indicators of Compromise

  • GitLab Duo API requests followed by user access to issues or merge requests they lack permission to view directly
  • Audit log entries showing Duo responses containing text that matches internal note content
  • Anomalous prompt patterns targeting specific issue IDs or merge request IDs known to contain internal notes

Detection Strategies

  • Correlate GitLab production logs for duo_chat and ai_gateway requests against user role assignments for the referenced resources
  • Review the audit_events table for read operations on internal notes that occur outside of standard UI navigation flows
  • Compare GitLab version strings reported by /help or the /api/v4/version endpoint against the patched releases 18.0.5, 18.1.3, and 18.2.1

Monitoring Recommendations

  • Enable verbose logging on the GitLab AI Gateway and forward events to a centralized SIEM for retention and correlation
  • Alert on Duo response volumes that exceed baseline for individual users, which may indicate scraping activity
  • Track GitLab instance versions across the fleet to confirm timely patching of Duo-enabled deployments

How to Mitigate CVE-2025-4976

Immediate Actions Required

  • Upgrade GitLab EE to version 18.0.5, 18.1.3, 18.2.1, or later as prescribed by the vendor advisory
  • Audit recent Duo interactions for exposure of internal notes and notify affected project owners
  • Restrict Duo access to trusted user groups while patching is in progress

Patch Information

GitLab has released fixed versions 18.0.5, 18.1.3, and 18.2.1 that enforce internal note visibility rules in the Duo context builder. Self-managed customers must apply the upgrade through their standard package or Helm chart update process. GitLab.com SaaS instances have been patched by the vendor. Consult the GitLab Issue Report for the fix commit references.

Workarounds

  • Disable the GitLab Duo feature in the Admin Area under Settings > General > AI-powered features until the upgrade is complete
  • Remove sensitive content from internal notes on active projects and use protected channels for confidential discussions
  • Limit Duo seat assignments to a small pilot group of trusted maintainers during the mitigation window
bash
# Disable GitLab Duo globally via Rails console on self-managed instances
sudo gitlab-rails runner "Ai::Setting.instance.update!(duo_features_enabled: false)"

# Verify current GitLab version
sudo gitlab-rake gitlab:env:info | grep -i version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.