GitLab has released critical security updates for its Community Edition (CE) and Enterprise Edition (EE) to address multiple high-severity vulnerabilities.
The patches, rolled out in versions 18.6.1, 18.5.3, and 18.4.5, fix security flaws that could allow attackers to bypass authentication, steal user credentials, or crash servers through Denial-of-Service (DoS) attacks.
Security experts and GitLab administrators are being urged to upgrade their self-managed installations immediately. GitLab.com has already been patched to protect users.
Credential Theft and System Crashes
The most concerning vulnerability in this release is CVE-2024-9183, a high-severity issue labeled as a “race condition” in the CI/CD cache.
This flaw could allow an authenticated attacker to steal credentials from users with higher privileges.
By exploiting this timing error, a malicious user could take over administrative accounts or perform unauthorized actions.
| CVE ID | Severity | Type | Description |
|---|---|---|---|
| CVE-2024-9183 | High | Privilege Escalation | A race condition in CI/CD cache allowing users to obtain higher-privileged credentials. |
| CVE-2025-12571 | High | Denial of Service | Unauthenticated users can crash the system via malicious JSON input. |
| CVE-2025-12653 | Medium | Auth Bypass | Unauthenticated users could join arbitrary organizations by altering headers. |
| CVE-2025-7449 | Medium | Denial of Service | Authenticated users can cause a crash via HTTP response processing. |
| CVE-2025-6195 | Medium | Improper Authorization | (EE Only) Users could view restricted security reports under certain conditions. |
| CVE-2025-13611 | Low | Info Disclosure | Leak of sensitive tokens in the terraform registry logs. |
Another major fix addresses CVE-2025-12571, a dangerous Denial-of-Service flaw.
This vulnerability allows unauthenticated attackers without a username or password to crash a GitLab instance by sending a malicious JSON request.
This type of attack could take an organization’s code repositories offline, disrupting development workflows.
Authentication Bypasses
The update also resolves CVE-2025-12653, a medium-severity issue that could allow unauthenticated users to bypass security checks and join arbitrary organizations by manipulating network request headers.
While less severe than the crash flaw, this bypass poses a significant risk to organizational privacy and access control.
The following table details the security issues resolved in this patch release:
GitLab strongly recommends that all customers running affected versions upgrade to the latest patch immediately. Upgrade targets: Versions 18.6.1, 18.5.3, or 18.4.5.
Impact: Single-node instances will experience downtime during the upgrade due to database migrations. Multi-node instances can perform zero-downtime upgrades.
Failure to update leaves installations exposed to attackers who can now analyze the public patches to reverse-engineer exploits.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
