GitLab has issued a critical security update to address several denial-of-service (DoS) vulnerabilities affecting both Community Edition (CE) and Enterprise Edition (EE).
Self-managed installations should upgrade immediately to versions 18.4.2, 18.3.4, or 18.2.8. GitLab.com already runs the patched versions, and GitLab Dedicated customers are unaffected.
The GitLab team delivers scheduled releases twice a month, on the second and fourth Wednesdays, along with ad-hoc critical patches for high-severity issues.
Today’s update includes important bug and security fixes that harden GraphQL endpoints, webhook handling, and CI/CD job authorization.
All deployment types omnibus packages, source installations, and Helm charts are affected unless explicitly excluded.
Administrators are urged to consult the GitLab releases handbook and security FAQ for upgrade instructions and best practices. Maintaining the latest patch release ensures that newly discovered vulnerabilities cannot be exploited.
Details of the DoS-Enabling Vulnerabilities
This update patches four vulnerabilities, two of them rated High severity and two rated Medium.
The first High severity flaw, CVE-2025-10004, could allow unauthenticated attackers to render GitLab unresponsive by submitting specially crafted GraphQL queries requesting large repository blobs.
The second High severity issue, CVE-2025-11340, involves incorrect authorization in GraphQL mutations that might enable authenticated users with read-only tokens to perform unauthorized write operations in Enterprise Edition. Both issues have been fixed in the latest releases.
The Medium severity vulnerabilities include CVE-2025-9825, where unauthorized users could view sensitive CI/CD variables by querying the GraphQL API, and CVE-2025-2934, which affects webhook endpoints by permitting crafted HTTP responses that exhaust system resources. All impacted versions and CVSS scores are summarized below.
| CVE ID | Description | Severity | CVSS 3.1 Score |
| CVE-2025-11340 | Incorrect authorization in GraphQL mutations allows write operations | High | 7.7 |
| CVE-2025-10004 | Denial of Service via large GraphQL blob queries | High | 7.5 |
| CVE-2025-9825 | Missing authorization in manual jobs exposes CI/CD variables | Medium | 5.0 |
| CVE-2025-2934 | DoS through malicious webhook HTTP responses | Medium | 4.3 |
GitLab’s security team publishes detailed issue reports 30 days after each patch release and encourages transparency by listing vulnerabilities on the public issue tracker.
To maintain good security hygiene, customers should follow the recommendations in the GitLab security FAQ and adhere to the instance security best practices guide.
Regularly updating to the latest patch release not only protects against known exploits but also ensures compliance with evolving security standards. Robust access controls, token management, and network isolation further reduce the risk of exploitation.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
