GitLab has released a critical security update addressing several denial-of-service (DoS) vulnerabilities in both Community Edition (CE) and Enterprise Edition (EE).
Organizations running self-managed GitLab instances must upgrade immediately to versions 18.4.2, 18.3.4, or 18.2.8 to mitigate potential service disruption.
GitLab.com has already been updated, and Dedicated customers are unaffected.
Hardened GraphQL Endpoints and CI/CD Job Authorization
Today’s patch bundle includes fixes that strengthen GraphQL endpoint processing and tighten CI/CD job authorization checks.
The most severe issue, CVE-2025-10004, allowed unauthenticated attackers to overwhelm GitLab by submitting specially crafted GraphQL queries requesting large repository blobs, resulting in a DoS condition.
A second high-severity flaw, CVE-2025-11340, involved incorrect authorization in GraphQL mutations that could enable authenticated users with read-only tokens to perform unauthorized write operations in Enterprise Edition.
Both weaknesses have been remediated in the latest releases.
Medium-severity vulnerabilities also received attention. CVE-2025-9825 patched a missing authorization check in manual CI/CD jobs that permitted unauthorized users to view sensitive pipeline variables via the GraphQL API.
CVE-2025-2934 addressed a flaw in webhook handling where specially crafted HTTP responses could exhaust system resources and trigger service interruption.
Administrators should note that all deployment types, omnibus packages, source installations, and Helm charts are impacted unless explicitly excluded.
GitLab’s security team follows a twice-monthly scheduled release cadence on the second and fourth Wednesdays, supplemented by ad-hoc critical patches for high-severity issues.
For this update, administrators are urged to consult the GitLab releases handbook and security FAQ for detailed upgrade instructions and recommended best practices.
Upgrading promptly not only protects against the known DoS vulnerabilities but also ensures compliance with evolving security standards.
Maintaining robust security hygiene involves more than patching. GitLab recommends implementing stringent access controls, rotating personal access tokens, and leveraging network isolation techniques.
Post-upgrade, security teams should review audit logs for unusual GraphQL activity and monitor CI/CD pipelines for unauthorized access attempts.
Detailed remediation timelines and proof-of-concept code examples are published on the public issue tracker 30 days after each patch release to foster transparency and community review.
CVE Details and Impact Overview
The following table summarizes the vulnerabilities addressed in this release, along with their severity ratings and CVSS 3.1 scores:
| CVE ID | Description | Severity | CVSS 3.1 Score |
|---|---|---|---|
| CVE-2025-11340 | Incorrect authorization in GraphQL mutations allows write operations | High | 7.7 |
| CVE-2025-10004 | Denial of Service via large GraphQL blob queries | High | 7.5 |
| CVE-2025-9825 | Missing authorization in manual jobs exposes CI/CD variables | Medium | 5.0 |
| CVE-2025-2934 | DoS through malicious webhook HTTP responses | Medium | 4.3 |
Regular updates to the latest patch releases remain critical in safeguarding GitLab instances from exploit attempts.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1600,900&ssl=1&description=Organizations running self-managed GitLab instances must upgrade immediately to versions 18.4.2, 18.3.4, or 18.2.8 to mitigate potential service disruption.){kind=link}