GitLab has issued critical security updates for both its Community Edition (CE) and Enterprise Edition (EE), addressing multiple high-severity vulnerabilities that could compromise self-managed installations. The patches, released in versions 18.6.1, 18.5.3, and 18.4.5, resolve flaws that allow attackers to bypass authentication, steal user credentials, or crash servers via Denial-of-Service (DoS) attacks. GitLab.com has already been patched, but administrators of self-hosted instances are strongly urged to upgrade immediately to prevent exploitation.

The most serious vulnerability, CVE-2024-9183, is a race condition in the CI/CD cache that could allow authenticated attackers to escalate privileges and steal credentials from higher-privileged users. By exploiting this timing flaw, a malicious actor could take over administrative accounts or perform unauthorized actions, posing a severe risk to organizational security and data integrity. Other critical issues include CVE-2025-12571, a Denial-of-Service flaw enabling unauthenticated attackers to crash GitLab instances via malicious JSON input, potentially taking repositories offline and disrupting development workflows.

Additional vulnerabilities addressed include CVE-2025-12653, which allows authentication bypass through manipulated network headers, letting attackers join arbitrary organizations; CVE-2025-7449, which enables authenticated users to cause crashes through HTTP response processing; CVE-2025-6195 (EE only), which allows viewing of restricted security reports; and CVE-2025-13611, a low-severity issue causing token leaks in Terraform registry logs. These flaws range from medium to high severity, covering privilege escalation, DoS, authentication bypass, and information disclosure, highlighting the breadth of potential attack vectors.

GitLab strongly recommends that all affected users upgrade immediately to the latest patched versions (18.6.1, 18.5.3, or 18.4.5). Single-node instances will experience downtime due to database migrations, while multi-node installations can perform zero-downtime upgrades. Failing to update leaves systems exposed to attackers who can analyze the publicly available patches to develop exploits. Organizations relying on GitLab for CI/CD workflows should treat this update as a priority to ensure uninterrupted operations and protect sensitive code and credentials.