CVE-2025-4979 Overview
An information disclosure vulnerability has been discovered in GitLab CE/EE that allows attackers to reveal masked or hidden CI/CD variables through the WebUI. This vulnerability affects the variable management functionality where an attacker can expose sensitive CI variables that they did not originally author by creating their own variable and observing the HTTP response. This represents a significant breach of the security controls designed to protect sensitive configuration data in GitLab pipelines.
Critical Impact
Attackers can expose masked or hidden CI/CD variables containing potentially sensitive credentials, API keys, and secrets without requiring any user interaction or authentication.
Affected Products
- GitLab Community Edition (CE) all versions before 17.10.7
- GitLab Enterprise Edition (EE) all versions before 17.10.7
- GitLab CE/EE versions 17.11 before 17.11.3
- GitLab CE/EE version 18.0.0 (fixed in 18.0.1)
Discovery Timeline
- 2025-05-22 - CVE-2025-4979 published to NVD
- 2025-08-08 - Last updated in NVD database
Technical Details for CVE-2025-4979
Vulnerability Analysis
This vulnerability stems from insufficient access control granularity in GitLab's CI/CD variable handling mechanism (CWE-1220: Insufficient Granularity of Access Control). The WebUI component responsible for managing CI variables fails to properly isolate variable data between different users and contexts. When a user creates a new CI variable, the HTTP response from the server inadvertently includes information about other masked or hidden variables that the requesting user should not have access to view.
The flaw allows network-based exploitation without requiring authentication or user interaction. The impact is focused on confidentiality, with no direct effect on system integrity or availability. Organizations using GitLab CI/CD pipelines to store sensitive credentials, API tokens, database passwords, or other secrets in masked variables are at risk of having these values exposed to unauthorized parties.
Root Cause
The root cause lies in CWE-1220 (Insufficient Granularity of Access Control), where GitLab's variable management API does not properly filter response data based on the authenticated user's authorization level. The system fails to distinguish between variables that a user has permission to view versus those that should remain hidden, resulting in unintended information leakage through standard API responses.
Attack Vector
The attack is conducted over the network and requires no special privileges or user interaction. An attacker with access to the GitLab WebUI can exploit this vulnerability through the following attack pattern:
- The attacker navigates to a GitLab project's CI/CD variable settings
- The attacker initiates a request to create a new CI variable
- The HTTP response from the server contains data about masked or hidden variables that belong to other users
- The attacker extracts sensitive variable values from the response payload
The vulnerability is particularly dangerous because masked variables in GitLab are specifically designed to hide sensitive values like credentials and API keys from appearing in logs and UI displays.
Detection Methods for CVE-2025-4979
Indicators of Compromise
- Unusual patterns of CI/CD variable creation requests from single users
- HTTP response logs showing larger-than-expected payloads for variable creation endpoints
- Access patterns indicating systematic enumeration of CI variable endpoints
- Audit log entries showing variable access by users who did not create them
Detection Strategies
- Monitor GitLab API access logs for anomalous patterns in /api/v4/projects/:id/variables endpoints
- Implement alerting on unusual volumes of variable creation requests
- Review audit logs for users accessing CI/CD settings across multiple projects in rapid succession
- Enable and monitor GitLab's built-in audit events for CI/CD variable operations
Monitoring Recommendations
- Configure centralized logging for all GitLab API requests, particularly those related to CI/CD configurations
- Establish baseline metrics for normal CI variable access patterns and alert on deviations
- Implement network traffic analysis to detect large response payloads from variable endpoints
- Review access to sensitive repositories and projects for unauthorized variable enumeration attempts
How to Mitigate CVE-2025-4979
Immediate Actions Required
- Upgrade GitLab CE/EE to version 17.10.7, 17.11.3, or 18.0.1 depending on your current version branch
- Review audit logs for potential exploitation attempts
- Rotate any credentials or secrets stored in CI/CD variables as a precautionary measure
- Assess which users have had access to CI/CD variable management interfaces
Patch Information
GitLab has released security patches addressing this vulnerability. Organizations should upgrade to the following fixed versions:
- Version 17.10.7 for the 17.10.x branch
- Version 17.11.3 for the 17.11.x branch
- Version 18.0.1 for the 18.0.x branch
Additional technical details and discussion can be found in the GitLab Issue Discussion.
Workarounds
- Restrict access to CI/CD variable management to only essential personnel until patching is complete
- Consider temporarily migrating highly sensitive secrets to external secret management solutions
- Implement network-level restrictions to limit access to GitLab's WebUI from untrusted networks
- Enable additional audit logging to monitor for potential exploitation attempts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
