GitLab has recently issued urgent security updates for its Community Edition (CE) and Enterprise Edition (EE), addressing multiple vulnerabilities, including two high-severity flaws that could lead to Server-Side Request Forgery (SSRF) and Denial of Service (DoS) attacks. Administrators of self-managed GitLab installations are strongly advised to upgrade immediately to the newly released versions: 18.3.2, 18.2.6, and 18.1.6.
Overview of the Vulnerabilities
The latest updates address a total of six security vulnerabilities, varying in severity. Notably, two high-severity issues have been identified:
1. Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-6454): This flaw, with a CVSS score of 8.5, resides in the Webhook custom header feature. An authenticated user could exploit this vulnerability by injecting specially crafted sequences, compelling the GitLab instance to make unintended internal requests within proxy environments. Such exploitation could potentially lead to further system compromise. This issue affects all versions from 16.11 up to the latest patched releases.
2. Denial of Service (DoS) Vulnerability (CVE-2025-2256): Assigned a CVSS score of 7.5, this vulnerability could be exploited by an unauthenticated attacker. By sending multiple, concurrent significant SAML responses to a GitLab instance, the attacker could overwhelm its resources, rendering the system unresponsive to legitimate users. This flaw impacts all versions from 7.12 onwards.
In addition to these high-severity vulnerabilities, four medium-severity issues have been addressed:
1. DoS via Commit Messages or Merge Request Descriptions (CVE-2025-1250): With a CVSS score of 6.5, this flaw allows an authenticated user to stall background job processing by using specially crafted commit messages or merge request descriptions.
2. Persistent DoS through Large File Uploads (CVE-2025-7337): Also rated at 6.5, this vulnerability enables an authenticated user with at least Developer-level access to crash a GitLab instance by uploading large files.
3. DoS via Excessively Long Token Names (CVE-2025-10094): This issue, with a CVSS score of 6.5, allows authenticated users to disrupt access to token-related operations by creating tokens with excessively long names.
4. Information Disclosure in Runner Details (CVE-2025-6769): Assigned a CVSS score of 4.3, this vulnerability could have allowed an authenticated user to view administrator-only maintenance notes by accessing runner details through specific interfaces.
Mitigation and Recommendations
GitLab has credited several security researchers, including yuki_osaki, ppee, pwnie, and iamgk808, for discovering and reporting these vulnerabilities through its HackerOne bug bounty program. In line with its disclosure policy, the full details of these vulnerabilities will be made public on GitLab’s issue tracker 30 days after the release.
To mitigate these vulnerabilities, GitLab strongly recommends that all self-managed customers review the security announcement and apply the updates to protect their instances from potential attacks. Customers using the cloud-hosted GitLab.com service are already protected, and GitLab Dedicated users do not need to take any action.
Understanding the Impact
The identified vulnerabilities pose significant risks to organizations using GitLab for their DevOps processes. An SSRF attack can allow an attacker to make unauthorized requests from the server, potentially accessing internal services and sensitive data. DoS attacks can disrupt services, leading to downtime and potential loss of productivity. Therefore, timely application of these patches is crucial to maintaining the security and integrity of GitLab instances.
Conclusion
GitLab’s proactive approach in identifying and patching these vulnerabilities underscores the importance of regular security assessments and prompt updates. Organizations are urged to stay vigilant and ensure their systems are up-to-date to safeguard against potential threats.
