CVE-2025-1042
Published: 12 February 2025
Summary
CVE-2025-1042 is a medium-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Gitlab Gitlab. Its CVSS base score is 4.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Code Repositories (T1213.003); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-25 (Reference Monitor).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations for access to system resources like repositories, directly countering the IDOR flaw that allowed unauthorized viewing.
AC-25 requires a reference monitor to mediate all subject-object interactions, addressing the improper handling of repository object references in this vulnerability.
AC-24 ensures explicit authorization decisions for specific resources such as repositories by defined roles, preventing high-privilege users from accessing unauthorized repositories via IDOR.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR enables unauthorized read access to GitLab code repositories (CWE-552), directly mapping to T1213.003 for data collection from code repositories.
NVD Description
An insecure direct object reference vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to view repositories in an unauthorized way.
Deeper analysisAI
CVE-2025-1042 is an insecure direct object reference (IDOR) vulnerability, classified under CWE-552, affecting GitLab Enterprise Edition (EE). It impacts all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2. Published on 2025-02-12, the flaw enables unauthorized access to repositories through improper handling of object references. The vulnerability carries a CVSS v3.1 base score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N), indicating moderate severity primarily due to its high confidentiality impact.
Exploitation requires high privileges (PR:H), such as those held by authenticated users with elevated roles like maintainers or owners within a GitLab instance. An attacker can leverage the IDOR flaw over the network with low complexity and no user interaction to view repositories they are not authorized to access. This results in unauthorized data exposure but does not allow modification (no integrity impact) or disruption of service (no availability impact), with scope remaining unchanged.
Mitigation involves upgrading to patched versions: 17.6.5 or later for the 15.7 branch, 17.7.4 or later for the 17.7 branch, and 17.8.2 or later for the 17.8 branch. Additional details are available in the GitLab issue tracker at https://gitlab.com/gitlab-org/gitlab/-/issues/50849943 and the originating HackerOne disclosure at https://hackerone.com/reports/2886976.
Details
- CWE(s)