CVE-2025-1042: Files or Directories Accessible to External Parties in GitLab
First published: Wed Feb 12 2025(Updated: )
An insecure direct object reference vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to view repositories in an unauthorized way.
Credit: cve@gitlab.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GitLab Enterprise Edition | >15.7<17.6.5>17.7<17.7.4>17.8<17.8.2 |
Remedy
Upgrade to versions 17.6.5, 17.7.4, 17.8.2 or above.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2025-1042?
The severity of CVE-2025-1042 is considered critical due to the potential unauthorized access to repositories.
How do I fix CVE-2025-1042?
To fix CVE-2025-1042, update your GitLab EE installation to version 17.6.5, 17.7.4, or 17.8.2 or later.
What versions are affected by CVE-2025-1042?
CVE-2025-1042 affects all versions of GitLab EE from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2.
What type of vulnerability is CVE-2025-1042?
CVE-2025-1042 is an insecure direct object reference vulnerability.
What impacts can CVE-2025-1042 have on users?
CVE-2025-1042 can allow attackers to view repositories that they should not have access to, compromising data confidentiality.
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/title
- agent/type
- agent/remedy
- agent/description
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/author
- agent/last-modified-date
- agent/severity
- agent/source
- agent/tags
- agent/event
- vendor/gitlab
- canonical/gitlab enterprise edition