GitLab has recently issued critical security updates for both its Community Edition (CE) and Enterprise Edition (EE), introducing versions 18.4.2, 18.3.4, and 18.2.8. These updates are designed to rectify several vulnerabilities that could potentially lead to denial-of-service (DoS) attacks and unauthorized access. Administrators of self-managed GitLab installations are strongly encouraged to upgrade promptly to mitigate these risks. Notably, GitLab.com and GitLab Dedicated customers have already been safeguarded by these patches.
Overview of Addressed Vulnerabilities
The latest patches tackle several newly identified vulnerabilities affecting both authenticated and unauthenticated users. These issues, spanning various attack vectors, underscore the ongoing risks to code repositories and development pipelines if left unpatched. GitLab’s standard practice involves documenting issues publicly 30 days post-patch deployment, emphasizing the necessity for proactive upgrades to maintain a robust security posture.
Detailed Examination of Patched Vulnerabilities
1. CVE-2025-11340: GraphQL Mutation Authorization Bypass
– Severity: High (CVSS Score: 7.7)
– Description: This vulnerability allowed authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records due to incorrect scoping in GraphQL mutations. Exploitation could lead to tampering with vulnerability details, thereby straining governance and compliance efforts.
– Impacted Versions: GitLab EE 18.3 to 18.3.4 and 18.4 to 18.4.2.
– Discovery: Identified internally by GitLab.
2. CVE-2025-10004: Denial of Service via GraphQL Blob Requests
– Severity: High (CVSS Score: 7.5)
– Description: This remote flaw allowed attackers to send specially crafted GraphQL requests for large repository blobs, exhausting server resources and rendering a GitLab instance unresponsive. Notably, no authentication was required, significantly widening its attack surface.
– Impacted Versions: GitLab versions from 13.12 through 18.2.8, 18.3 up to 18.3.4, and 18.4 up to 18.4.2.
3. CVE-2025-9825: Unauthorized Access to Manual CI/CD Variables via GraphQL
– Severity: Medium (CVSS Score: 5.0)
– Description: This vulnerability exposed sensitive manual CI/CD variables to authenticated users lacking project membership, simply by querying the GraphQL API.
– Impacted Versions: GitLab versions from 13.7 to 18.2.8, and pre-patched releases of 18.3 and 18.4.
4. CVE-2025-2934: DoS via Malicious Webhook Endpoints in GitLab CE/EE
– Severity: Medium (CVSS Score: 4.3)
– Description: This issue stemmed from a flaw in the Ruby Core library, allowing attackers to configure webhooks to send malicious HTTP responses, thereby destabilizing GitLab servers.
– Impacted Versions: GitLab versions from 5.2 up to 18.2.8, 18.3 before 18.3.4, and 18.4 before 18.4.2.
– Disclosure: Responsibly disclosed in July 2025.
Mitigation Measures
GitLab strongly urges all organizations managing self-hosted or on-premise deployments to upgrade immediately to the newly released versions to prevent system downtime and unauthorized data manipulation. Delaying updates increases the risks of disruption, data leakage, and exploit-driven escalation attacks. GitLab provides best practices and upgrade instructions on their official releases and security blogs.
Maintaining prompt patch hygiene is essential for development teams and enterprises relying on GitLab for source code, CI/CD, and collaborative software workflow management.
