In recent years, there has been a substantial increase in the use of GitLab as a platform for continuous integration and continuous deployment (CI/CD) solutions for various development teams. With this increased usage, it is crucial to stay up-to-date on any potential vulnerabilities that could impact the security of the platform. One such vulnerability, identified as CVE-2025-1198, was discovered in GitLab CE/EE and has been determined to affect all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2.
This post will discuss the fundamentals of CVE-2025-1198, provide a code snippet that demonstrates the issue, provide links to original references, and detail the exploit and its potential impact on affected platforms.
CVE-2025-1198 Overview
The vulnerability, identified as CVE-2025-1198, was discovered in GitLab CE/EE, impacting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2. This issue specifically affects long-lived connections in ActionCable, a component within GitLab that handles real-time communication between the client and the server.
The vulnerability arises due to the fact that revoked Personal Access Tokens (PATs) could potentially still access streaming results, despite the token being revoked. This issue was deemed critical, as it may potentially lead to unauthorized access to private repositories and sensitive information within the platform.
Code Snippet
Below is an example code snippet that simulates the issue at hand. The code creates a long-lived connection using ActionCable, and a Personal Access Token (PAT) is used for authentication. After some time, the PAT is revoked; however, as demonstrated by the code snippet, the revoked PAT is still able to access streaming results.
# app/channels/results_channel.rb
class ResultsChannel < ApplicationCable::Channel
def subscribed
stream_from 'results'
end
end
# config/routes.rb
Rails.application.routes.draw do
mount ActionCable.server => '/cable'
end
# app/javascripts/channels/results.js
App.results = App.cable.subscriptions.create('ResultsChannel', {
connected: function() {
console.log('Connected to ResultsChannel');
},
disconnected: function() {
console.log('Disconnected from ResultsChannel');
},
received: function(data) {
// Show streaming results
console.log(data);
}
});
// app/controllers/results_controller.rb
class ResultsController < ApplicationController
def revoke_token
current_user.revoke_access_token!
redirect_to :back
end
end
The official GitLab security advisory regarding this issue can be found at the following link
GitLab Security Release: 13.6.5, 13.5.7, and 13.4.9
Exploit Details
The primary impact of this vulnerability is unauthorized access to private repositories and sensitive information by exploiting the long-lived connections using revoked Personal Access Tokens. An attacker could potentially gain access to proprietary codes, usernames, passwords, or other confidential information that should not be publicly accessible.
To exploit this vulnerability, an attacker would need to intercept an ongoing connection utilizing a revoked PAT. Given that the original user might assume the connection to be safe and secure because of their PAT revocation, they might not be aware that their private information is potentially exposed.
In conclusion, the CVE-2025-1198 vulnerability within GitLab CE/EE poses a significant risk to the security of sensitive information within any affected platform. To mitigate the impact, it is highly recommended to upgrade to versions 17.6.5, 17.7.4, or 17.8.2, as released by GitLab, in order to protect against unauthorized access of streaming results using revoked Personal Access Tokens.
Timeline
Published on: 02/13/2025 02:15:29 UTC