GitLab has urgently released patch versions 18.5.1, 18.4.3, and 18.3.5 for its Community Edition (CE) and Enterprise Edition (EE) to address multiple critical security flaws, including several high-severity denial-of-service (DoS) vulnerabilities.
These updates fix issues allowing specially crafted payloads to overwhelm systems, alongside access control and authorization bugs affecting authenticated users.
The company emphasizes immediate upgrades for all self-managed installations, noting that GitLab[.]com is already protected, and Dedicated customers require no action.
Among the most pressing fixes are three DoS vulnerabilities rated high or medium severity, enabling remote attackers to crash GitLab instances without authentication.
The first, CVE-2025-10497, targets event collection, where unauthenticated users send crafted payloads to trigger resource exhaustion and service denial.
Impacting CE/EE versions from 17.10 prior to the patches, it carries a CVSS score of 7.5, highlighting low complexity and high availability impact.
Similarly, CVE-2025-11447 exploits JSON validation in GraphQL requests, allowing unauthenticated actors to flood the system with malicious payloads starting from version 11.0.
This flaw also scores 7.5 on CVSS, affecting a broad range of installations and potentially halting API responses. A medium-severity DoS issue, CVE-2025-11974, arises during file uploads to specific API endpoints, where large files from unauthenticated sources consume excessive resources.
Versions from 11.7 are vulnerable, with a CVSS of 6.5, though it requires low-privilege access in some scenarios.
These vulnerabilities were reported via GitLab’s HackerOne program or discovered internally, underscoring the platform’s exposure to event processing, data validation, and upload mechanisms.
| CVE ID | Description | Severity | CVSS Score | Impacted Versions (CE/EE unless noted) |
|---|---|---|---|---|
| CVE-2025-10497 | DoS in event collection | High | 7.5 | 17.10 before 18.3.5, 18.4 before 18.4.3, 18.5 before 18.5.1 |
| CVE-2025-11447 | DoS in JSON validation | High | 7.5 | 11.0 before 18.3.5, 18.4 before 18.4.3, 18.5 before 18.5.1 |
| CVE-2025-11974 | DoS in upload | Medium | 6.5 | 11.7 before 18.3.5, 18.4 before 18.4.3, 18.5 before 18.5.1 |
Beyond DoS threats, the patches remediate higher-impact issues like CVE-2025-11702, a high-severity improper access control in the runner API for EE, allowing authenticated users to hijack runners across projects with a CVSS of 8.5.
CVE-2025-11971 fixes incorrect authorization in CE pipeline builds, enabling unauthorized executions via commit manipulation (CVSS 6.5).
Lower-severity flaws include business logic errors in EE group memberships (CVE-2025-6601, CVSS 3.8) and missing authorizations in quick actions (CVE-2025-11989, CVSS 3.7), which could lead to unintended access or command execution.
These fixes align with GitLab’s biannual patch schedule, with full details public 30 days post-release on their issue tracker. Bug fixes in the updates address Redis gem downgrades, connection pool errors, and Geo routing leaks across versions.
Mitigations
GitLab strongly urges upgrading all affected self-managed instances immediately to mitigate these risks, applicable to Omnibus, source, and Helm deployments.
Following best practices like regular patching enhances security hygiene, as outlined in their handbook. With no reported exploits yet, proactive updates prevent potential disruptions in development workflows.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
