Yesterday the developers of Ruby on Rails released a security advisory for file existence disclosure vulnerability CVE-2014-7818. GitLab is not affected by this vulnerability.


CVE-2014-7818 affects Rails applications which have the config.serve_static_assets = true setting. GitLab is shipped with config.serve_static_assets set to false in config/environments/production.rb because it lets NGINX (or Apache) serve static files.

Please contact us at if you have any questions about this issue.

Try all GitLab features - free for 30 days

GitLab is more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

Try GitLab Free
Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license

Try GitLab risk-free for 30 days.

No credit card required. Have questions? Contact us.

Gitlab x icon svg