GitLab Patch Release: 18.3.2, 18.2.6, 18.1.6 Fix Multiple High-Severity Vulnerabilities
GitLab released versions 18.3.2, 18.2.6, and 18.1.6 on September 10, 2025, patching multiple high-severity vulnerabilities including SSRF, DoS, and information disclosure flaws.
GitLab has released emergency patch versions 18.3.2, 18.2.6, and 18.1.6 for both Community Edition (CE) and Enterprise Edition (EE) on September 10, 2025. The updates address seven security vulnerabilities, including two high-severity issues: a server-side request forgery (SSRF) in webhook custom headers (CVE-2025-6454, CVSS 8.5) and a denial-of-service (DoS) vulnerability in SAML responses (CVE-2025-2256, CVSS 7.5). GitLab strongly recommends that all self-managed installations upgrade immediately; GitLab.com is already patched, and GitLab Dedicated customers require no action.
The most critical flaw, CVE-2025-6454, allows authenticated users to make unintended internal requests through proxy environments by injecting crafted sequences. This SSRF vulnerability could enable attackers to access internal services, potentially leading to further compromise. The DoS issue in SAML responses, CVE-2025-2256, could be exploited by unauthorized users sending multiple concurrent large SAML responses, rendering the GitLab instance unresponsive. Both vulnerabilities were reported through GitLab's HackerOne bug bounty program.
Additional medium-severity DoS vulnerabilities include CVE-2025-1250 (CVSS 6.5), which allows authenticated users to stall background job processing via specially crafted commit messages or merge request descriptions; CVE-2025-7337 (CVSS 6.5), enabling authenticated users with Developer-level access to cause persistent DoS by uploading large files; and CVE-2025-10094 (CVSS 6.5), where users can disrupt token listings by creating tokens with excessively large names. An information disclosure flaw, CVE-2025-6769 (CVSS 4.3), lets authenticated users view administrator-only maintenance notes through runner endpoints.
The patches affect all versions from 7.12 to 18.1.5, 18.2.0 to 18.2.5, and 18.3.0 to 18.3.1. GitLab has also included several bug fixes in these releases, such as updates to gitlab-shell and gitlab-sshd, and fixes for WebAuthn authentication in Firefox. The company follows a policy of making vulnerability details public 30 days after the patch release.
This patch release underscores the ongoing challenge of securing complex DevOps platforms. GitLab's proactive approach, including its bug bounty program and regular patch cycles, helps mitigate risks, but administrators must remain vigilant. The SSRF vulnerability in particular highlights the dangers of allowing user-controlled input in webhook configurations, a common feature in CI/CD pipelines. Organizations using self-managed GitLab instances should prioritize this update to protect against potential exploitation.