CVE Vulnerabilities

CVE-2025-1198

Insufficient Session Expiration

Published: Feb 13, 2025 | Modified: Aug 06, 2025
CVSS 3.x
5.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

An issue discovered in GitLab CE/EE affecting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 meant that long-lived connections in ActionCable potentially allowed revoked Personal Access Tokens access to streaming results.

Weakness

According to WASC, “Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.”

Affected Software

Name Vendor Start Version End Version
Gitlab Gitlab 16.11.0 (including) 17.6.5 (excluding)
Gitlab Gitlab 17.7.0 (including) 17.7.4 (excluding)
Gitlab Gitlab 17.8.0 (including) 17.8.2 (excluding)
Gitlab Ubuntu esm-apps/xenial *

Potential Mitigations

References