An issue has been discovered in GitLab CE/EE affecting all versions from 16.1.0 before 16.11.5, all versions starting from 17.0 before 17.0.3, all versions starting from 17.1.0 before 17.1.1 which allowed for a CSRF attack on GitLab's GraphQL API leading to the execution of arbitrary GraphQL mutations.
Fixes

Solution

Upgrade to versions 16.11.5, 17.0.3, 17.1.1 or above.


Workaround

No workaround given by the vendor.

History

Tue, 12 Aug 2025 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:17.1.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:17.1.0:*:*:*:enterprise:*:*:*

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 4e-05}

epss

{'score': 5e-05}


Mon, 23 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 20 Jun 2025 18:30:00 +0000

Type Values Removed Values Added
Description An issue has been discovered in GitLab CE/EE affecting all versions from 16.1.0 before 16.11.5, all versions starting from 17.0 before 17.0.3, all versions starting from 17.1.0 before 17.1.1 which allowed for a CSRF attack on GitLab's GraphQL API leading to the execution of arbitrary GraphQL mutations.
Title Cross-Site Request Forgery (CSRF) in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-352
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2025-06-23T15:22:37.297Z

Reserved: 2024-05-16T10:30:52.440Z

Link: CVE-2024-4994

cve-icon Vulnrichment

Updated: 2025-06-23T15:22:34.545Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-20T19:15:35.460

Modified: 2025-08-12T14:52:02.520

Link: CVE-2024-4994

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.