Last Week in AppSec for 28. October 2025 - Checkmarx

Last Week in AppSec for 28. October 2025

Darren Meyer

Darren Meyer

13 min.

October 28, 2025

A graffiti-style cyberpunk illustration shows a focused technician with cybernetic enhancements and a mohawk, typing on a laptop surrounded by neon green light. To the left, a glowing GitLab fox-head emblem appears on a dark server tower; to the right, a monitor displays the Apache Geode crystal logo. The background is gritty black and green, with electric energy patterns connecting the two systems and a darker lower-right corner for contrast.

Here are some news items our team found interesting over the past week, which you might have missed.

  • Seven CVEs have been patched in GitLab, several are significant: gitlab.com instances are already patched, self-hosting users need to upgrade to 18.5.1, 18.4.3, or 18.3.5 using your package manger or by setting the appropriate image tag in Helm charts or equivalents:
  • Apache Geode’s Management interface has a CSRF (Cross-Site Request Forgery) vulnerability introduced in 1.10 that can be exploited via the mgmt API. Vulnerability allows execution of the gfsh command, allowing unauthorized administration among other actions (CVE-2025-47410, CVSSv3=8.8). Update to 1.15.2 or newer to repair.

Quick reminder: script snippets provided in this post are intended as starting points to adapt to your needs, and due to time constraints have recieved only limited testing. Always use public code snippets with care!

Get Checkmarx Zero updates in your inbox!
visual

GitLab closes seven CVEs, self-hosted users must upgrade

Seven CVEs have been patched in GitLab, several are significant: gitlab.com instances are already patched, self-hosting users need to upgrade to 18.5.1, 18.4.3, or 18.3.5:

  • CVE-2025-11702 [reserved, not yet published at time of writing] (CVSSv3=8.5) Runner API improper access control
  • CVE-2025-10497 (CVSSv3=7.5) DoS in event collection
  • CVE-2025-11447 (CVSSv3=7.5) DoS in GraphQL JSON validation
  • CVE-2025-11974 (CVSSv3=6.5) DoS via file upload endpoints
  • CVE-2025-11971 (CVSSv3=6.5) Incorrect authorization in pipeline builds
  • CVE-2025-6601 (CVSSv3=3.8) Group membership business logic error
  • CVE-2025-11989 (CVSSv3=3.7) Missing authorization in quick actions

Fixes are only available for the 18.x major version; users of older versions must plan to update to an 18.x branch. This information is repeated in each section below because of its importance.

CVE-2025-11702 (CVSSv3=8.5) Runner API improper access control (Enterprise Edition)

Reported by security researcher iamgk808, GitLab Enterprise Edition had a flaw in its Runner API that allowed an authenticated user that had a specific set of permissions to hijack runners being used by other projects. This allows an attacker who gains a foothold in one project with a GitLab Enterprise Edition deployment to attach and control runners in other projects, making it easy to pivot and exfiltrate CI secrets or run untrusted code in other projects’ contexts.

This is specific to Enterprise Edition, and affects versions starting with 17.1 through 18.5.0. Users must update to the appropriate 18.x branch.

Fixes are only available for the 18.x major version; users of older versions must plan to update to an 18.x branch.

CVE-2025-10497 (CVSSv3=7.5) DoS in event collection (Enterprise Edition and Community Edition)

Introduced in version 17.10, a failure to limit resources for event collection allows attackers to send large events or many events to the event collection endpoint, exausting server resources. WAF/reverse-proxy rules and limits can mitigate, otherwise patch to appropriate 18.x branch.

Fixes are only available for the 18.x major version; users of older versions must plan to update to an 18.x branch.

CVE-2025-11447 (CVSSv3=7.5) DoS in GraphQL JSON validation (Enterprise Edition and Community Edition)

A long-standing issue (introduced in 11.0) with unauthenticated GraphQL requests has been fixed in the 18.x branches. GraphQL requests can contain JSON “bombs” which cause heavy resource usage during validation of the JSON payload. This issue was reported by the researcher a92847865. Reverse proxies/WAFs can mitigate by limiting request rates, and identifying and blocking deeply-nested JSON documents.

To determine scope of exposure, check to see how widely exposed the GraphQL endpoint is, by using a command such as the following from different networks to determine if it’s reachable from e.g. public IP addresses:

curl -I https://<gitlab>/api/graphql | head -n1

Fixes are only available for the 18.x major version; users of older versions must plan to update to an 18.x branch.

CVE-2025-11974 (CVSSv3=6.5) DoS via file upload endpoints (Enterprise Edition and Community Edition)

A flaw in GitLab’s file upload system (introduced in 11.7) resulted in flawed (or, in some cases missing) resource caps on some API endpoints. This allowed unauthenticated users to post large content bodies that would consume bandwidth, exhaust worker pools, and fill up storage. GitLab discovered this internally and credits David Fernandez.

To determine scope of exposure, you should check whether public addresses can reach file upload endpoints with affected versions. The command below will determine if the relevant endpoint is exposed and report the version if so:

curl -s http://<gitlab>/api/v4/version | jq .version

Fixes are only available for the 18.x major version; users of older versions must plan to update to an 18.x branch.

CVE-2025-11971 (CVSSv3=6.5) Incorrect authorization in pipeline builds (Community Edition)

GitLab’s CI/CD pipeline permission system allows projects to ensure that pipelines only run on certain commit states (for example, when a merge has been made to a main branch). A flaw introduced in GitLab Community Edition 10.6 caused certain cases of such permissions to be insufficiently checked, allowing a code committer to run unauthorized pipelines; for example, triggering a deployment pipeline without authorization.

Since this requires an attacker to have some level of “write” permissions in the first place, this risk mainly attaches to projects that permit public contributions. However, private projects could be open to insider attacks or just simple developer mistakes.

If you use the gitlab-rails tool, you can leverage it to identify potentially high-risk project configurations:

# Find projects allowing pipelines for forks
gitlab-rails runner 'puts Project.where(builds_access_level: 20).count'

Fixes are only available for the 18.x major version; users of older versions must plan to update to an 18.x branch.

CVE-2025-6601 (CVSSv3=3.8) Group membership business logic error (Enterprise Edition)

We don’t have a lot of details about this one, but researcher rhidayahh reported it to GitLab, who say that there are specific cases where the approval workflow for access requests could skip approvers. This can lead to elevated access. Without details, it’s hard to assess the risk of this accurately, but it seems like this would mainly be the realm of a targetted attack against an organization. This is only in Enterprise Edition, and only in some specific branches since 18.4.

You can review approved workflow reuqests to assist in determining if there is something unexpected which may be an indicator of attack:

# Recent access-requests approved in last 7 days (API)
curl -s --header "PRIVATE-TOKEN: $TOKEN"\ 
   "https://<gitlab>/api/v4/audit_events?created_after=$(date -I -d '7 days ago')"

Fixes are only available for the 18.x major version; users of older versions must plan to update to an 18.x branch.

CVE-2025-11989 (CVSSv3=3.7) Missing authorization in quick actions (Enterprise Edition)

A flaw introduced in 17.6 allowed attackers without appropriate “quick actions” authorization to embed commands inside of descriptions and get them to execute in the “quick action” context. Discovered by GitLab themselves (credit: Eva Kadlecová), this affects only Enterprise Edition.

You can review resent issues and Merge Requests for indicators that quick actions (like adding labels, etc.) were unexpectedly executed:

# Example: find label changes via quick actions in last 24h
curl -s --header "PRIVATE-TOKEN: $TOKEN" \
    "https://<gitlab>/api/v4/projects/<id>/issues?updated_after=$(date -Iseconds -u)" \
    | jq '.[].labels'

Apache Geode management API CSRF

Apache Geode’s Management interface has a CSRF (Cross-Site Request Forgery) vulnerability introduced in 1.10 that can be exploited via the mgmt API. Vulnerability allows execution of the gfsh command, allowing unauthorized administration among other actions (CVE-2025-47410, CVSSv3=8.8). Update to 1.15.2 or newer to repair.

Risk can be mitigated by some kinds of WAF configuration or API gateway controls, though specifics can vary widely between implementations. Removing execute permissions from the gfsh commmand on deployed Geode instances also reduces risk, though may have organizational impacts. Disabling the management API and/or placing network access controls to ensure the API isn’t publicly exposed may also be a useful action for those who cannot promptly upgrade.

Since the impacted endpoints respect authenticated GET commands, there’s a path to exploit this vulnerability by tricking an authenticated user into clicking an attacker-controlled link; in short, this can be used as part of a phishing or spear-phishing attack relatively easily.

Follow Checkmarx Zero:

Table of Contents

Read More

Want to learn more? Here are some additional pieces for you to read.

Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More
Read More