Platform
gitlab
Component
gitlab
Fixed in
18.8.9
18.9.5
18.10.3
CVE-2025-9484 is a security vulnerability identified in GitLab EE that allows authenticated users to potentially access the email addresses of other users. This occurs under specific circumstances involving certain GraphQL queries, posing a privacy risk. The vulnerability impacts GitLab EE versions from 16.6.0 through 18.10.3. A patch is available in version 18.10.3.
CVE-2025-9484 affects GitLab EE and allows an authenticated user, under certain circumstances, to access other users' email addresses via specific GraphQL queries. The vulnerability exists in GitLab EE versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3. The potential impact is the unauthorized disclosure of sensitive personal information, which could result in privacy and security risks for affected users. While exploitation requires specific GraphQL knowledge and a particular configuration, the possibility of accessing other users' contact information represents a significant concern. Applying the provided security update is crucial to mitigate this risk.
The vulnerability is exploited through malicious GraphQL queries. An authenticated user with the appropriate permissions could construct a specific GraphQL query to extract other users' email addresses. Exploitation does not require administrator privileges, but it does require knowledge of the GraphQL structure and the ability to formulate queries that select email fields. The likelihood of exploitation depends on the GitLab instance configuration and the presence of users with the technical expertise to construct these queries. GitLab has implemented measures to mitigate this vulnerability in the patched versions, restricting access to sensitive information via GraphQL.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
To remediate CVE-2025-9484, it is highly recommended to upgrade to GitLab EE version 18.10.3 or later, or to a later version within the supported 18.8 or 18.9 branches. The update corrects the vulnerability by restricting access to email addresses via the affected GraphQL queries. Refer to the official GitLab documentation for detailed instructions on how to upgrade your GitLab instance. Additionally, review your security and access policies to ensure that only authorized users have access to sensitive information. Timely application of this update is essential to protect user privacy and maintain the security of your GitLab environment.
Update GitLab to version 18.8.9 or higher, 18.9.5 or higher, or 18.10.3 or higher. This update corrects an authorization vulnerability that allowed authenticated users to access other users' email addresses through certain (GraphQL) queries.
Vulnerability analysis and critical alerts directly to your inbox.
Vulnerable versions are GitLab EE from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3.
Immediately upgrade to GitLab EE version 18.10.3 or later, or to a later version within the supported 18.8 or 18.9 branches.
No, exploitation does not require administrator privileges, but it does require knowledge of GraphQL.
Primarily, the email addresses of other users.
Consult the official GitLab documentation and the CVE-2025-9484 security advisory.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.