Plattform
gitlab
Komponente
gitlab
Behoben in
18.8.9
18.9.5
18.10.3
CVE-2025-9484 addresses a vulnerability in GitLab EE that, under certain circumstances, could allow an authenticated user to access other users' email addresses through specific GraphQL queries. This issue affects versions of GitLab EE from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3. The vulnerability has been resolved in version 18.10.3.
The primary impact of CVE-2025-9484 is the unauthorized disclosure of email addresses of other GitLab users. While this may not lead to immediate system compromise, it can be used for phishing attacks, social engineering, or other malicious activities targeting those users. The vulnerability highlights a potential weakness in GitLab's access control mechanisms for GraphQL queries. The scope of the impact is limited to GitLab EE and requires an authenticated user to exploit the vulnerability, but the potential for email address harvesting remains a concern.
CVE-2025-9484 was published on 2026-04-08 and has a CVSS score of 4.3 (MEDIUM). Public proof-of-concept (POC) exploits are possible. Monitor GitLab security advisories and vulnerability databases for any updates. The vulnerability requires authentication, limiting the potential attack surface.
Exploit-Status
EPSS
0.01% (3% Perzentil)
CISA SSVC
The primary mitigation for CVE-2025-9484 is to upgrade GitLab EE to version 18.10.3 or later. Review and audit GraphQL query permissions to ensure that users only have access to the data they are authorized to view. Implement robust input validation and sanitization on all GraphQL queries to prevent malicious manipulation. Regularly review GitLab security advisories and apply updates promptly. After upgrade, confirm by attempting the vulnerable GraphQL query and verifying that access to other users' email addresses is denied.
Actualice GitLab a la versión 18.8.9 o superior, 18.9.5 o superior, o 18.10.3 o superior. Esta actualización corrige una vulnerabilidad de autorización que permitía a usuarios autenticados acceder a las direcciones de correo electrónico de otros usuarios a través de ciertas consultas GraphQL.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Vulnerable versions are GitLab EE from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3.
Immediately upgrade to GitLab EE version 18.10.3 or later, or to a later version within the supported 18.8 or 18.9 branches.
No, exploitation does not require administrator privileges, but it does require knowledge of GraphQL.
Primarily, the email addresses of other users.
Consult the official GitLab documentation and the CVE-2025-9484 security advisory.
CVSS-Vektor
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.