Skip to main content
CVE Vulnerability Database

CVE-2025-9958: GitLab Information Disclosure Vulnerability

CVE-2025-9958 is an information disclosure vulnerability in GitLab CE/EE that allows Guest users to access sensitive data in virtual registry configurations. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-9958 Overview

CVE-2025-9958 is an information disclosure vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). The flaw allows Guest users to access sensitive information stored in virtual registry configurations. It affects all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1. The weakness is classified under CWE-201: Insertion of Sensitive Information Into Sent Data.

Critical Impact

Authenticated Guest users can read sensitive virtual registry configuration data, potentially exposing credentials and connection details for upstream package registries.

Affected Products

  • GitLab Community Edition versions 14.10 through 18.2.6
  • GitLab Enterprise Edition versions 18.3 through 18.3.2
  • GitLab CE/EE version 18.4.0

Discovery Timeline

  • 2025-09-26 - CVE-2025-9958 published to NVD
  • 2025-11-06 - Last updated in NVD database

Technical Details for CVE-2025-9958

Vulnerability Analysis

The vulnerability resides in GitLab's virtual registry feature, which proxies package requests to upstream registries. Virtual registry configurations store connection details, including credentials used to authenticate to upstream sources. Access to these configurations should be restricted to maintainer or owner-level roles.

The authorization check for reading virtual registry configurations does not adequately enforce role restrictions. Users assigned the Guest role, the lowest privileged role within a GitLab project, can issue requests that return configuration data they should not see. This breaks the principle of least privilege and exposes data across a trust boundary, leading to scope change in the impact assessment.

Root Cause

The root cause is missing or insufficient authorization enforcement in the virtual registry configuration endpoints. The application discloses sensitive configuration fields to any authenticated project member rather than restricting visibility to elevated roles. This aligns with CWE-201, where sensitive information is included in a response delivered to an unauthorized recipient.

Attack Vector

An attacker requires a valid GitLab account with Guest membership in a project that has virtual registries configured. After authenticating, the attacker queries the affected virtual registry API or UI surface to retrieve configuration entries. No user interaction from a higher-privileged user is required. The exposed data may include upstream registry URLs, usernames, and stored authentication material that can be reused to access third-party package sources.

The vulnerability has no public proof-of-concept and is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.453%.

Detection Methods for CVE-2025-9958

Indicators of Compromise

  • Unexpected API requests from Guest accounts to virtual registry endpoints under /api/v4/virtual_registries/.
  • Audit log entries showing Guest users reading registry configurations or listing upstream sources.
  • Anomalous authentication attempts against upstream package registries originating from accounts whose credentials are stored in GitLab virtual registries.

Detection Strategies

  • Review GitLab audit events for read operations on virtual registry configuration objects performed by users with the Guest role.
  • Correlate GitLab access logs with upstream registry authentication logs to identify reuse of leaked credentials.
  • Hunt for enumeration patterns where a single low-privileged account accesses multiple registry configuration entries in a short window.

Monitoring Recommendations

  • Enable GitLab audit event streaming to a centralized log platform and retain registry access events for at least 90 days.
  • Alert on any Guest-role API call that returns HTTP 200 from virtual registry endpoints.
  • Rotate and monitor credentials configured in virtual registries for unexpected upstream authentication failures or geo-anomalous logins.

How to Mitigate CVE-2025-9958

Immediate Actions Required

  • Upgrade GitLab CE/EE to version 18.2.7, 18.3.3, or 18.4.1 or later, matching your current release branch.
  • Audit all Guest-role users in projects that have virtual registries configured and remove unnecessary access.
  • Rotate any credentials stored in virtual registry configurations that may have been exposed to Guest users.

Patch Information

GitLab released fixed versions 18.2.7, 18.3.3, and 18.4.1 that enforce proper role-based authorization on virtual registry configuration endpoints. Details are documented in the GitLab Issue #567777 and the corresponding HackerOne Report #3323573. Self-managed administrators should apply the upgrade following the official GitLab upgrade procedure for their installation method.

Workarounds

  • If immediate patching is not possible, disable the virtual registry feature on affected GitLab instances until the upgrade can be applied.
  • Remove or relocate sensitive credentials from virtual registry configurations and use short-lived tokens stored outside the affected component.
  • Restrict project membership so that no Guest-role accounts remain in projects with configured virtual registries.
bash
# Verify installed GitLab version on a self-managed instance
sudo gitlab-rake gitlab:env:info | grep "GitLab information" -A 5

# Upgrade an Omnibus GitLab installation (Debian/Ubuntu) to the patched release
sudo apt-get update && sudo apt-get install gitlab-ee=18.4.1-ee.0

# Restart and reconfigure after upgrade
sudo gitlab-ctl reconfigure && sudo gitlab-ctl restart

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.