GitLab has recently issued urgent security updates for its Community Edition (CE) and Enterprise Edition (EE) to address several critical vulnerabilities that could potentially allow attackers to execute unauthorized actions, including Denial-of-Service (DoS) attacks and unauthorized code execution.
Overview of the Vulnerabilities
The latest security patches target multiple vulnerabilities, some of which are of high severity. These flaws could enable unauthenticated attackers to crash GitLab instances or execute unauthorized code. The vulnerabilities affect various versions of GitLab CE and EE, necessitating immediate attention from administrators.
Denial-of-Service (DoS) Vulnerabilities
Among the most pressing issues are three DoS vulnerabilities that allow remote attackers to crash GitLab instances without authentication:
– CVE-2025-10497: This vulnerability targets event collection mechanisms. Unauthenticated users can send specially crafted payloads to trigger resource exhaustion, leading to service denial. It affects GitLab CE/EE versions from 17.10 prior to the patches and carries a CVSS score of 7.5, indicating high severity.
– CVE-2025-11447: This flaw exploits JSON validation in GraphQL requests. Unauthenticated actors can flood the system with malicious payloads, potentially halting API responses. It affects versions from 11.0 and also has a CVSS score of 7.5.
– CVE-2025-11974: This medium-severity DoS issue arises during file uploads to specific API endpoints. Large files from unauthenticated sources can consume excessive resources, leading to service disruption. It affects versions from 11.7 and has a CVSS score of 6.5.
Unauthorized Code Execution Vulnerabilities
In addition to DoS vulnerabilities, the patches address critical flaws that could allow unauthorized code execution:
– CVE-2024-9164: This critical vulnerability allows unauthorized users to execute pipelines on branches without appropriate permission, leading to unauthorized code execution. It affects GitLab CE/EE versions from 8.16 to 17.4.1 and has a CVSS score of 9.6.
– CVE-2024-8970: This vulnerability allows an attacker to trigger a pipeline as another user under certain conditions, leading to potential unauthorized actions. It has a CVSS score of 8.2.
– CVE-2024-8977: This Server-Side Request Forgery (SSRF) vulnerability in the Analytics Dashboard allows attackers to make unauthorized network requests. It also has a CVSS score of 8.2.
Affected Versions and Recommendations
The vulnerabilities affect GitLab CE/EE versions from 8.16 up to 17.4.1. GitLab has released patches in versions 17.4.2, 17.3.5, and 17.2.9 to address these issues. Administrators are strongly advised to upgrade all affected self-managed instances immediately to mitigate these risks. This applies to Omnibus, source, and Helm deployments.
Mitigation Measures
In addition to applying the patches, GitLab recommends the following mitigation measures:
– Enforce Two-Factor Authentication (2FA): Implement mandatory 2FA for all accounts to enhance security.
– Monitor Authentication Logs: Regularly review authentication logs for unusual patterns that may indicate unauthorized access attempts.
– Review Pipeline Execution History: Examine pipeline execution history for unauthorized job injections or executions.
– Restrict CI/CD Pipeline Permissions: Limit CI/CD pipeline permissions to trusted users to prevent unauthorized code execution.
– Conduct Regular Vulnerability Scans: Perform routine vulnerability scans to identify and address potential security issues promptly.
Conclusion
GitLab’s prompt response to these critical vulnerabilities underscores the importance of proactive security measures in software development environments. Administrators are urged to apply the latest patches and implement the recommended mitigation strategies to safeguard their systems against potential exploits.
