An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that under certain conditions could have allowed an authenticated attacker to distribute malicious code that appears harmless in the web interface by taking advantage of ambiguity between branches and tags during repository imports.
                
            Metrics
Affected Vendors & Products
References
        History
                    Tue, 02 Sep 2025 18:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| CPEs | cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* cpe:2.3:a:gitlab:gitlab:18.3.0:*:*:*:community:*:*:* cpe:2.3:a:gitlab:gitlab:18.3.0:*:*:*:enterprise:*:*:* | 
Wed, 27 Aug 2025 20:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | ssvc 
 | 
Wed, 27 Aug 2025 19:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Description | An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that under certain conditions could have allowed an authenticated attacker to distribute malicious code that appears harmless in the web interface by taking advantage of ambiguity between branches and tags during repository imports. | |
| Title | Improper Control of Generation of Code ('Code Injection') in GitLab | |
| First Time appeared | Gitlab Gitlab gitlab | |
| Weaknesses | CWE-94 | |
| CPEs | cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:* | |
| Vendors & Products | Gitlab Gitlab gitlab | |
| References |  | |
| Metrics | cvssV3_1 
 | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: GitLab
Published: 2025-08-27T19:33:36.040Z
Updated: 2025-08-27T19:53:36.682Z
Reserved: 2025-05-22T21:30:42.068Z
Link: CVE-2025-5101
 Vulnrichment
                        Vulnrichment
                    Updated: 2025-08-27T19:53:30.331Z
 NVD
                        NVD
                    Status : Analyzed
Published: 2025-08-27T20:15:34.303
Modified: 2025-09-02T17:47:34.833
Link: CVE-2025-5101
 Redhat
                        Redhat
                    No data.