Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Authenticated low-privilege actor (PR:L) required to create crafted repo; victim must actively view via web UI (UI:R); impact is integrity-only content mismatch with no confidentiality or availability consequence.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
6DescriptionNVD
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.5 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user to create a repository where the content displayed in the web interface differed from the content available for download, due to improper handling of Git reference name resolution.
AnalysisAI
Content spoofing in GitLab CE/EE versions 16.5 through 18.x, 19.0, and 19.1 allows authenticated users to construct repositories where the web interface renders content that diverges from the actual downloadable source, exploiting improper Git reference name resolution (CWE-706). The CVSS score of 3.5 (Low) reflects the authentication requirement (PR:L), mandatory viewer interaction (UI:R), and limited integrity-only impact with no confidentiality or availability consequences. No public exploit code or CISA KEV listing has been identified at time of analysis, placing real-world risk firmly in the low tier despite the broad version range affected.
Technical ContextAI
GitLab CE/EE implements server-side rendering of Git repository content by resolving branch names, tags, and other symbolic references to display file trees, diffs, and blob content in the web UI. CWE-706 (Use of Incorrectly-Resolved Name or Reference) identifies the root cause class: GitLab's Git reference name resolution logic can be manipulated so that the ref resolved for web display differs from the ref resolved for download or clone operations. This creates a content-display integrity gap exploitable for code review deception. The flaw spans a wide version range - all versions from 16.5 up to 18.11.7, 19.0 up to 19.0.4, and 19.1 up to 19.1.2 - covering the majority of actively maintained GitLab release branches. No CPE strings were provided in the input data; affected product scope is inferred from NVD version range data and the GitLab patch advisory.
RemediationAI
Upgrade GitLab CE/EE to version 18.11.7 (for the 18.x branch), 19.0.4 (for the 19.0 branch), or 19.1.2 (for the 19.1 branch), per the official GitLab patch release advisory at https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-2-released/. No documented workaround is referenced in available intelligence. For administrators unable to patch immediately, a compensating control is to restrict repository creation permissions to trusted users only, reducing the pool of actors who could construct a malicious repository - note this limits self-service repository creation and may require process changes. Additionally, critical code reviews should be supplemented by cloning the repository locally and comparing content rather than relying solely on the web UI rendering, eliminating the web-display attack surface until patched.
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.
The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab af
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions sta
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210442
GHSA-h5pw-h3j7-cj7f