GitLab has released important security updates. The new versions are 18.4.2, 18.3.4, and 18.2.8 for both Community Edition (CE) and Enterprise Edition (EE).
These updates fix several vulnerabilities that could lead to denial-of-service (DoS) attacks and allow unauthorized access.
All self-managed GitLab installations are strongly advised to upgrade promptly to mitigate potential disruptions. GitLab.com and GitLab Dedicated customers are already fully protected by these patches.
The patched releases address several newly discovered vulnerabilities affecting both authenticated and unauthenticated users. These issues, spanning various attack vectors, underscore the ongoing risk to code repositories and development pipelines if left unpatched.
GitLab’s standard practice ensures issues are only publicly documented 30 days after patch deployment, emphasizing the need for proactive upgrades to preserve security posture.
Multiple Vulnerabilities Patched
Security researchers and GitLab’s internal team have identified four main issues in this update, each posing unique risks:
CVE-2025-11340: GraphQL Mutation Authorization Bypass
This high-severity vulnerability (CVSS 7.7) allowed authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records due to incorrect scoping in GraphQL mutations.
Exploitation could lead to tampering with vulnerability details, straining governance and compliance efforts. Impacted versions include GitLab EE 18.3 to 18.3.4 and 18.4 to 18.4.2. Discovered internally by GitLab.
CVE-2025-10004: Denial of Service via GraphQL Blob Requests
Assigned a CVSS score of 7.5, this remote flaw impacted versions from 13.12 through 18.2.8, 18.3 up to 18.3.4, and 18.4 up to 18.4.2. By sending specially crafted GraphQL requests for large repository blobs, attackers could exhaust server resources, making a GitLab instance unresponsive. No authentication is required, substantially widening its attack surface.
CVE-2025-9825: Unauthorized Access to Manual CI/CD Variables via GraphQL
This medium-severity bug (CVSS 5.0) exposed sensitive manual CI/CD variables to authenticated users lacking project membership, simply by querying the GraphQL API. Versions affected range from 13.7 to 18.2.8, and pre-patched releases of 18.3 and 18.4.
CVE-2025-2934: DoS via Malicious Webhook Endpoints in GitLab CE/EE
Affecting all versions from 5.2 up to 18.2.8, 18.3 before 18.3.4, and 18.4 before 18.4.2, this moderate risk (CVSS 4.3) stemmed from a Ruby Core library flaw. Attackers could configure webhooks to send malicious HTTP responses, destabilizing GitLab servers. The issue was responsibly disclosed in July 2025.
| CVE ID | Vulnerability Title | Severity | CVSS Score | Impacted Versions |
|---|---|---|---|---|
| CVE-2025-11340 | GraphQL Mutations Auth Bypass (EE) | High | 7.7 | 18.3 – 18.3.4, 18.4–18.4.2 |
| CVE-2025-10004 | DoS via GraphQL Blob Type (CE/EE) | High | 7.5 | 13.12–18.2.8, 18.3–18.3.4, 18.4–18.4.2 |
| CVE-2025-9825 | Manual Jobs Auth Flaw (CE/EE) | Medium | 5.0 | 13.7–18.2.8, 18.3–18.3.4, 18.4–18.4.2 |
| CVE-2025-2934 | DoS via Webhooks (CE/EE) | Medium | 4.3 | 5.2–18.2.8, 18.3–18.3.4, 18.4–18.4.2 |
Mitigations
GitLab strongly urges all organizations administering self-managed or on-premise deployments to upgrade immediately to the newly released versions to avoid system downtime and unauthorized data manipulation.
Delaying updates increases risks of disruption, data leakage, and exploit-driven escalation attacks. GitLab provides best practices and upgrade instructions on their official releases and security blogs.
Maintaining prompt patch hygiene is essential for development teams and enterprises relying on GitLab for source code, CI/CD, and collaborative software workflow management.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
