Improper Control of Generation of Code (‘Code Injection’) in GitLab

5 / 10

MEDIUM

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N

Description

An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that under certain conditions could have allowed an authenticated attacker to distribute malicious code that appears harmless in the web interface by taking advantage of ambiguity between branches and tags during repository imports.

Basic Information

ID CVE-2025-5101

Source GitLab

Published Aug 27, 2025 at 19:33

Modified Aug 27, 2025 at 19:53

Affected Product

Vendor GitLab

Product GitLab

Affected Versions GitLab GitLab 0
GitLab GitLab 18.2
GitLab GitLab 18.3

CWE Classification

CWE-94

References

{
    "lastseen": "",
    "description": "An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that under certain conditions could have allowed an authenticated attacker to distribute malicious code that appears harmless in the web interface by taking advantage of ambiguity between branches and tags during repository imports.",
    "published": "2025-08-27T19:33:36.040Z",
    "modified": "2025-08-27T19:53:36.682Z",
    "type": "cve",
    "title": "Improper Control of Generation of Code ('Code Injection') in GitLab",
    "source": "GitLab",
    "references": "https://gitlab.com/gitlab-org/gitlab/-/issues/545165\nhttps://hackerone.com/reports/3124199",
    "id": "CVE-2025-5101",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "GitLab GitLab 0\nGitLab GitLab 18.2\nGitLab GitLab 18.3",
    "sourceHref": "",
    "cvss": {
        "score": 5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "GitLab",
    "version": "0",
    "vendor": "GitLab",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Improper Control of Generation of Code (‘Code Injection’) in GitLab_CVE-2025-5101