The collaborative development platform GitLab has announced the fix for a critical vulnerability, identified as CVE-2025-6454. The issue affected server installations of the Community and Enterprise editions and allowed requests to be made to internal resources via specially crafted webhook headers.
The attack required an account with minimum developer privileges and no intervention from other users was necessary.
The bug received a high CVSS score of 8.5 out of 10. It affected versions 16.11 through 18.1.6, 18.2 through 18.2.6, and 18.3 through 18.3.2. The fixes were included in version 18.3.2, released on September 10. GitLab emphasized that the issue was discovered through a bug hunting program and that the report was written by a researcher using the pseudonym “ppee “.
The vulnerability was unique in that it allowed bypassing network isolation restrictions. Requests could be sent to internal proxies, metadata services, or local APIs. This was visible in event logs via non-standard HTTP headers and requests to atypical addresses. Experts warn that such attacks could lead to the leakage of confidential data and compromise the integrity of the infrastructure.
At the time of publication, there is no publicly available exploit, nor is there evidence of actual exploitation. However, the potential danger is high: the description states that the vulnerability impacts data confidentiality, availability, and integrity.
Developers are advised to update GitLab to versions 18.1.6, 18.2.6, or 18.3.2 or later as soon as possible. We also recommend reviewing your webhook settings and disabling the use of custom headers, if users can set them.
For reverse proxy-based deployments, we recommend restricting GitLab access to internal resources. We also recommend monitoring logs for suspicious requests and segmenting your network to prevent unwanted access.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
