CVE-2025-12073

low-risk

Published 2026-02-11

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions, could have allowed an authenticated user to perform server-side request forgery against internal services by bypassing protections in the Git repository import functionality.

Do I need to act?

0.02% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

NETWORK / LOW complexity

Affected Products (2)

Gitlab

Affected Vendors

Gitlab

References (3)

Release Notes https://about.gitlab.com/releases/2026/02/10/patch-release-gitlab-18-8-4-release...

Broken Link https://gitlab.com/gitlab-org/gitlab/-/issues/578091

Permissions Required https://hackerone.com/reports/3314987

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 7/34 · Low