Analysis Summary

GitLab has urgently released security patches for its Community Edition (CE) and Enterprise Edition (EE) in versions 18.5.1, 18.4.3, and 18.3.5 to address multiple high-impact vulnerabilities. These include several denial-of-service (DoS) flaws, access control issues, and authorization weaknesses. The company emphasized that all self-managed instances must be immediately upgraded, while GitLab[.]com and Dedicated customers are already protected. The vulnerabilities, reported via HackerOne or found internally, highlight the platform’s exposure in areas such as event processing, GraphQL validation, and file upload mechanisms.

The most critical issues include three DoS vulnerabilities that allow unauthenticated attackers to crash GitLab systems. CVE-2025-10497 abuses event collection by exhausting system resources through crafted payloads, affecting versions from 17.10 onward, with a CVSS score of high. CVE-2025-11447 exploits JSON validation in GraphQL requests, allowing malicious payload flooding from version 11.0 onward, also rated high. Additionally, CVE-2025-11974 targets file upload endpoints from version 11.7, where large unauthorized uploads cause excessive resource consumption. These flaws enable service disruption with low attack complexity and minimal privileges.

Beyond DoS risks, the patches resolve higher-severity access control weaknesses. CVE-2025-11702 (CVSS 8.5) affects GitLab EE and allows authenticated users to hijack runners across projects via improper access checks in the runner API. Another flaw, CVE-2025-11971, impacts CE builds by enabling unauthorized pipeline executions through commit manipulation. GitLab also addressed lower-impact issues such as business logic errors in EE group memberships (CVE-2025-6601) and missing authorization checks in quick actions (CVE-2025-11989), which could allow unintended access or command execution.

The patches are part of GitLab’s regular biannual security update cycle, with full vulnerability details to be publicly released after 30 days. Additional fixes include resolving Redis gem downgrades, connection pool errors, and Geo routing data exposure. To mitigate risks, GitLab advises all self-managed users to update Omnibus, source, and Helm-based deployments immediately. While no active exploitation has been reported, timely updates and adherence to security best practices such as routine patching are essential to prevent potential service disruptions and safeguard development workflows.

Impact

• Denial of Service
• Gain Access

Indicators of Compromise

CVE

• CVE-2025-10497

• CVE-2025-11447

• CVE-2025-11974

Affected Vendors

Remediation

• Immediately upgrade GitLab instances to versions 18.5.1, 18.4.3, or 18.3.5 for both Community (CE) and Enterprise Edition (EE) to apply all security patches.
• Update all deployment types, including Omnibus, source installations, and Helm charts, to eliminate exposure across environments.
• Verify GitLab Runner configurations (EE only) to prevent unauthorized runner hijacking caused by CVE-2025-11702.
• Restrict API and GraphQL access using rate limiting, WAF rules, and authentication enforcement to mitigate DoS payload attempts (CVE-2025-10497 & CVE-2025-11447).
• Apply file upload size limits and content validation to prevent resource exhaustion attacks via large unauthenticated uploads (CVE-2025-11974).
• Enforce strict access control policies on pipelines and restrict who can trigger pipeline builds to mitigate CVE-2025-11971.
• Review and audit project/group permissions to ensure no abuse of business logic flaws in group memberships (CVE-2025-6601).
• Disable or monitor “quick actions” feature for unauthorized user executions until CVE-2025-11989 is fixed.
• Enable logging and monitoring of API, runner activity, and upload endpoints for early detection of abnormal behavior or exploitation attempts.
• Implement regular patch management policies as recommended by GitLab’s security handbook to maintain long-term protection.