Introduction
An attacker with valid credentials in a GitLab Enterprise Edition instance could have hijacked project runners from other projects, potentially exposing sensitive CI/CD secrets and disrupting software delivery pipelines. This vulnerability, tracked as CVE-2025-11702, directly impacts organizations relying on GitLab for secure DevOps workflows and was rated with a CVSS score of 8.5, highlighting its high risk to enterprise environments.
GitLab is a leading DevOps platform used by tens of thousands of organizations worldwide for source code management, CI/CD, and project collaboration. Its Enterprise Edition offers advanced features for large teams and regulated industries, making vulnerabilities in this platform especially impactful for the global tech ecosystem.
Technical Information
CVE-2025-11702 is an improper access control vulnerability in the Runner API of GitLab Enterprise Edition. The issue affects all versions from 17.1 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1. The vulnerability arises from missing or insufficient authorization checks (CWE-862) in the Runner API, which allowed authenticated users with specific permissions to access and potentially hijack runners belonging to other projects.
The attack requires the user to be authenticated and possess certain project-level permissions. Once authenticated, the attacker could interact with the Runner API in a way that bypassed intended project boundaries, enabling them to take control of runners registered to other projects. This could result in:
- Unauthorized access to CI/CD secrets and environment variables from other projects
- The ability to execute arbitrary jobs or code in the context of another project
- Lateral movement within the GitLab instance, potentially leading to broader compromise
The root cause is a lack of strict permission validation within the API endpoints responsible for runner management. This allowed users with legitimate access to one project to perform actions on runners outside their authorization scope. The vulnerability is closely related to CWE-862 (Missing Authorization), which describes failures to enforce proper authorization checks before allowing access to sensitive resources.
No public code snippets or exploit scripts have been released for this vulnerability as of the patch date. However, the technical mechanism is well-understood in the context of improper access control flaws in API-driven platforms.
Patch Information
In the GitLab 18.5.1 release, several critical security vulnerabilities were addressed to enhance the platform's robustness:
-
Improper Access Control in Runner API (CVE-2025-11702): This vulnerability allowed authenticated users with specific permissions to hijack project runners from other projects. The patch introduced stricter permission checks within the Runner API to ensure that only authorized users can manage project runners.
-
Denial of Service in Event Collection (CVE-2025-10497): Unauthenticated users could send specially crafted payloads to cause a denial of service. The fix involved implementing validation mechanisms to detect and reject malicious payloads, thereby preventing service disruption.
-
Denial of Service in JSON Validation (CVE-2025-11447): Crafted JSON payloads in GraphQL requests could lead to a denial of service. The update enhanced JSON parsing and validation processes to handle such payloads securely, mitigating potential service interruptions.
-
Denial of Service in File Uploads (CVE-2025-11974): Unauthenticated users could upload large files to specific API endpoints, leading to a denial of service. The patch introduced file size limits and authentication checks to prevent unauthorized large file uploads.
-
Incorrect Authorization in Pipeline Builds (CVE-2025-11971): Authenticated users could trigger unauthorized pipeline executions by manipulating commits. The fix involved refining authorization checks to ensure that only permitted users can initiate pipeline builds.
-
Business Logic Error in Group Memberships (CVE-2025-6601): Authenticated users could gain unauthorized project access by exploiting the access request approval workflow. The update corrected the approval process logic to prevent unauthorized access.
-
Missing Authorization in Quick Actions (CVE-2025-11989): Authenticated users could execute unauthorized quick actions by including malicious commands in specific descriptions. The patch added authorization checks to quick actions to ensure that only authorized commands are executed.
These patches collectively strengthen GitLab's security posture by addressing vulnerabilities that could be exploited for unauthorized access or service disruption.
Patch source: GitLab 18.5.1 Patch Release
Affected Systems and Versions
- GitLab Enterprise Edition (EE) versions from 17.1 before 18.3.5
- GitLab EE 18.4 before 18.4.3
- GitLab EE 18.5 before 18.5.1
Community Edition (CE) is not affected by this vulnerability. Only self-managed and enterprise deployments using the above versions are vulnerable. GitLab.com and GitLab Dedicated customers are not affected as they have already been patched.
Vendor Security History
GitLab has experienced several high and critical severity vulnerabilities in recent years, particularly in areas related to CI/CD runners and access control. Notable prior issues include:
- Runner hijacking vulnerabilities on shared macOS runners (HackerOne report)
- Malicious runner vulnerabilities allowing job theft or unauthorized code execution (Cycode analysis)
- Multiple improper access control and authorization bypass issues
GitLab maintains a public security release process and typically responds to critical vulnerabilities with dedicated patch releases. Their use of HackerOne for coordinated disclosure and their practice of releasing security advisories and patches within weeks of report submission indicate a mature vulnerability management process.
