CVE-2025-5101

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-5101
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-5101.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-5101
Aliases
Downstream
Related
Published
2025-08-27T19:33:36.040Z
Modified
2026-04-10T05:29:18.837551Z
Severity
  • 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N CVSS Calculator
Summary
Improper Control of Generation of Code ('Code Injection') in GitLab
Details

An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that under certain conditions could have allowed an authenticated attacker to distribute malicious code that appears harmless in the web interface by taking advantage of ambiguity between branches and tags during repository imports.

Database specific 
{
    "cna_assigner": "GitLab",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/5xxx/CVE-2025-5101.json",
    "cwe_ids": [
        "CWE-94"
    ]
}
References

Affected packages

Git / gitlab.com/gitlab-org/gitlab

Affected ranges

Type
GIT
Repo
https://gitlab.com/gitlab-org/gitlab
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
37cd445f04ca9225834e84c0705b8cc8a5ef92c6
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "18.1.5"
        }
    ]
}
Type
GIT
Repo
https://gitlab.com/gitlab-org/gitlab
Events
Introduced
64403a0daee4413eb45b939590f37c351b8e72bf
Fixed
eacf4ae161bac46e23ea1a20845a61466512dd5b
Database specific 
{
    "versions": [
        {
            "introduced": "18.2"
        },
        {
            "fixed": "18.2.5"
        }
    ]
}
Type
GIT
Repo
https://gitlab.com/gitlab-org/gitlab
Events
Introduced
94282cd9b41643ecd8a82da6cf46834cd9609afe
Fixed
cb15859792b69875385491d698ab05d2e75c9ff6
Database specific 
{
    "versions": [
        {
            "introduced": "18.3"
        },
        {
            "fixed": "18.3.1"
        }
    ]
}

Affected versions

Other
11-10-0cfa69752d8-0d9531c80-ee
11-10-0cfa69752d8-74ffd66ae-ee
11-10-119f9509d50-6d7537235-ee
v1.*
v1.2.0
v1.2.0pre
v1.2.1
v1.2.2
v18.*
v18.1.0-ee
v18.1.0-rc42-ee
v18.1.0-rc43-ee
v18.1.0-rc44-ee
v18.2.0-ee
v18.2.3-ee
v18.2.4-ee
v18.3.0-ee
v2.*
v2.3.0
v2.3.0pre
v2.3.1
v2.4.0
v2.4.0pre
v2.4.1
v2.5.0
v2.6.0
v2.6.0pre
v2.6.1
v2.6.2
v2.6.3
v2.7.0
v2.7.0pre
v2.8.0
v2.8.0pre
v2.8.1
v2.8.2
v2.9.0
v2.9.1
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.1.0
v4.*
v4.0.0
v4.0.0rc1
v4.0.0rc2
v5.*
v5.0.0
v5.1.0
v5.2.0
v6.*
v6.0.0-ee
v6.0.0-ee.beta
v6.0.0-ee.rc1
v6.1.0-ee
v6.3.0-ee
v6.3.1-ee
v6.4.0-ee
v6.5.0-ee
v6.6.0-ee
v6.7.0-ee
v6.7.0.rc1-ee
v6.8.0-ee
v7.*
v7.0.0-ee
v7.1.0-ee
v7.1.0.rc1-ee
v7.2.0.rc1-ee
v7.2.0.rc2-ee
v7.2.0.rc3-ee
v7.2.0.rc4-ee
v7.2.0.rc5-ee
v7.3.0-ee
v7.3.0.rc1-ee

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-5101.json"