GitLab has rolled out critical security updates for both its Community Edition (CE) and Enterprise Edition (EE), introducing versions 18.4.2, 18.3.4, and 18.2.8. These updates address several vulnerabilities that could be exploited to perform denial-of-service (DoS) attacks or gain unauthorized access to GitLab systems.
GitLab strongly recommends all self-managed installations upgrade immediately to avoid potential service interruptions. Meanwhile, GitLab.com and GitLab Dedicated customers are already protected, as the fixes have been applied to their environments.
Overview of the Security Fixes
The new patches resolve four major vulnerabilities discovered by both GitLab’s internal team and independent security researchers. These flaws affect different components of GitLab, targeting both authenticated and unauthenticated users. The vulnerabilities highlight the continuous risks to repositories and CI/CD pipelines when updates are delayed.
GitLab maintains a responsible disclosure policy by publicly documenting vulnerabilities 30 days after patches are released, encouraging administrators to update proactively and maintain a strong security posture.
Detailed Breakdown of Patched Vulnerabilities
1. CVE-2025-11340 – GraphQL Mutation Authorization Bypass
Severity: High (CVSS 7.7)
This vulnerability allowed authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records through improperly scoped GraphQL mutations. Exploiting this flaw could result in tampering with vulnerability data, affecting compliance and governance workflows.
Affected Versions: GitLab EE 18.3–18.3.4 and 18.4–18.4.2
Discovered internally by GitLab.
2. CVE-2025-10004 – Denial of Service via GraphQL Blob Requests
Severity: High (CVSS 7.5)
Attackers could send specially crafted GraphQL requests targeting large repository blobs, consuming excessive system resources and making GitLab servers unresponsive. No authentication is required, significantly increasing the attack surface.
Affected Versions: 13.12–18.2.8, 18.3–18.3.4, and 18.4–18.4.2
3. CVE-2025-9825 – Unauthorized Access to Manual CI/CD Variables
Severity: Medium (CVSS 5.0)
This flaw exposed manual CI/CD variables to authenticated users who were not part of the project. Attackers could use GraphQL queries to retrieve sensitive information.
Affected Versions: 13.7–18.2.8, 18.3–18.3.4, and 18.4–18.4.2
4. CVE-2025-2934 – DoS through Malicious Webhooks
Severity: Medium (CVSS 4.3)
This issue stemmed from a Ruby Core library flaw, allowing attackers to configure malicious webhooks that send harmful HTTP responses. These responses could destabilize GitLab servers.
Affected Versions: 5.2–18.2.8, 18.3–18.3.4, and 18.4–18.4.2
| CVE ID | Vulnerability Title | Severity | CVSS Score | Impacted Versions |
| CVE-2025-11340 | GraphQL Mutations Auth Bypass (EE) | High | 7.7 | 18.3–18.3.4, 18.4–18.4.2 |
| CVE-2025-10004 | DoS via GraphQL Blob Type (CE/EE) | High | 7.5 | 13.12–18.2.8, 18.3–18.3.4, 18.4–18.4.2 |
| CVE-2025-9825 | Manual Jobs Auth Flaw (CE/EE) | Medium | 5.0 | 13.7–18.2.8, 18.3–18.3.4, 18.4–18.4.2 |
| CVE-2025-2934 | DoS via Webhooks (CE/EE) | Medium | 4.3 | 5.2–18.2.8, 18.3–18.3.4, 18.4–18.4.2 |
Mitigation and Recommendations
GitLab urges all self-managed or on-premises users to upgrade without delay. Postponing these updates can expose systems to potential data breaches, service outages, and exploit-based attacks.
Administrators should review GitLab’s official upgrade instructions and apply best practices outlined in its security blog to ensure full protection.
Maintaining a regular patch cycle is critical for teams relying on GitLab for source code management, CI/CD automation, and collaborative development workflows.
