CVE-2025-7000

low-risk

Published 2025-11-15

An issue has been discovered in GitLab CE/EE affecting all versions from 17.6 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2, that, under specific conditions, could have allowed unauthorized users to view confidential branch names by accessing project issues with related merge requests.

Do I need to act?

0.01% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

NETWORK / LOW complexity

Affected Products (2)

Gitlab

Affected Vendors

Gitlab

References (3)

Release Notes https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-release...

Broken Link https://gitlab.com/gitlab-org/gitlab/-/issues/553129

Permissions Required https://hackerone.com/reports/3214025

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 7/34 · Low