---
licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0)
licence_link: https://creativecommons.org/licenses/by/4.0/
licence_restrictions: https://cert.europa.eu/legal-notice
licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies
title: 'GitLab -- Critical Path Traversal Vulnerability'
version: '1.0'
number: '2023-031'
original_date: 'May 23, 2023'
date: 'May 25, 2023'
---
_History:_
* _25/05/2023 --- v1.0 -- Initial publication_
# Summary
On May 23, 2023, GitLab released an emergency security update to urgently address a critical severity path traversal flaw -- **CVE-2023-2825** -- with a CVSS v3.1 score of **10.0**. This issue was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0, with older versions not being affected. The flaw allows an unauthenticated attacker to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups [1,2].
# Technical Details
The critical path traversal flaw was discovered by a security researcher known as _pwnie_. The flaw arises from a problem in the way GitLab manages or resolves paths for attached files nested within several levels of group hierarchy. It can be exploited by an unauthenticated attacker to read arbitrary files on the server, thereby potentially exposing sensitive data, including proprietary software code, user credentials, tokens, files, and other private information.
The vulnerability can only be triggered under specific conditions, i.e., when there's an attachment in a public project nested within at least five groups [1,2].
# Products Affected
The issue affects GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0.
The older versions are not affected by this vulnerability.
# Recommendations
CERT-EU strongly recommends that all installations running GitLab CE/EE version 16.0.0 be upgraded to version 16.0.1.
# References
[1]
[2]