CVE CyberSecurity Database News

CVE-2025-1198 - How Personal Access Token Revocation Was Bypassed in GitLab ActionCable (With Exploit Insight)

Poster -

---

What Is CVE-2025-1198?

In early 2025, GitLab patched a critical security flaw: CVE-2025-1198. The bug affects *all versions* of GitLab CE/EE from 16.11 up to (but not including) 17.6.5, 17.7 up to (but not including) 17.7.4, and 17.8 up to (but not including) 17.8.2.

Summary:
If you use Personal Access Tokens (PATs) in your GitLab, and rely on immediate revocation to kick attackers out, you are in for a surprise. Through ActionCable, GitLab’s WebSocket framework, an attacker could keep a live connection that remained valid *even after* their token was revoked, letting them potentially keep accessing streaming results.

Let’s break down what this means, how the attack works, and what you need to do.

ActionCable and the Problem With Live Connections

ActionCable is a Ruby on Rails feature used by GitLab for real-time features like notifications and job logs. It manages persistent WebSocket connections so the server can “push” messages to the client.

The Issue:
When you establish a WebSocket connection using a PAT, GitLab checks the token once—*at the start*. But if that token is later revoked (by an admin, user, or via an expiration policy), the connection is *not* dropped. It just keeps streaming! That means:

- If I, as a user (or an attacker), got a token, started a WebSocket, and then you revoked that token...

...I’d keep getting live data until I disconnect.

Analogy:
Imagine giving a guest a key to your house, and even after changing the locks, the guest can stay inside until they *choose* to leave. Not ideal!

Practical Exploitation Flow

Let’s walk through a hypothetical exploit using curl and websocat (or JavaScript) to highlight how it works.

Suppose an attacker gets an access token for a GitLab account

glpat-123456789abcdef

Connecting to ActionCable with a valid PAT using websocat

websocat -H "Authorization: Bearer glpat-123456789abcdef" \
    wss://gitlab.example.com/cable

The server authenticates this token, and the attacker starts watching real-time job logs, notifications, etc.

Step 3: The Token Gets Revoked

The account owner or admin sees something weird, and *revokes* the token.

Step 4: The Attacker Keeps the WebSocket Open

Here’s the kicker:
Even after the token is revoked, the WebSocket stream keeps going, with all privileges the token had!
The server *does not* re-check token validity for the lifespan of the open connection.

Step 5: The Attacker Watches Real-Time Data

They can continue streaming project notification channels, job logs, and potentially sensitive live info until the connection is interrupted (by network, server restart, idle timeout, or manual disconnect).

Here’s a simplified JavaScript/WebSocket client to demonstrate

const ws = new WebSocket("wss://gitlab.example.com/cable", [], {
  headers: {
    Authorization: "Bearer glpat-123456789abcdef"
  }
});
ws.onopen = () => {
  ws.send(JSON.stringify({
    command: "subscribe",
    identifier: '{"channel":"JobLogChannel","job_id":"123456"}'
  }));
};
ws.onmessage = (msg) => {
  console.log(msg.data); // Still receives messages after revocation!
};

With this, any attacker can keep a tap on real-time data.

Real-World Impact

- Delayed Revocation: If an access token is leaked or misused, *simple revocation does not fully lock the attacker out* as expected.
- Data Exposure: If sensitive pipeline logs or notifications are streamed, they remain exposed until all live connections are killed.
- Security Assumption Broken: Many users and admins assume revoking a PAT cuts all access instantly, but in this case it did not.

17.8.2

In these versions and later, GitLab now re-checks token validity during the ActionCable session, dropping connections for tokens that are revoked.

> Upgrade Now
> GitLab Security Release Blog: March 2025
> CVE-2025-1198 NVD Entry

Upgrade Immediately: Run at least the patched versions listed above.

2. Monitor Active WebSockets: Consider monitoring and limiting the lifetime of ActionCable sessions.

Audit Token Usage: Review logs for suspicious long-lived connections.

4. Educate Users: Inform team members and admins about proper token hygiene and the potential lag in token revocation’s effect on WebSocket streams (pre-patch).

Final Thoughts

CVE-2025-1198 is a reminder that authentication isn’t just about the initial check, but *ongoing validation* for long-lived sessions. WebSockets and other persistent connections need regular re-authentication—otherwise “revoke” may not mean what you think.

If you're running self-hosted GitLab, don’t sleep on this update!

*This post is exclusive, written in clear American English, summarizing the real risk and giving you just enough technical detail to act. Stay secure, and keep your tools up-to-date!*


References:
- GitLab Release Notes
- HackerOne Report (where applicable)
- NVD CVE-2025-1198 Listing

Timeline

Published on: 02/13/2025 02:15:29 UTC