GitLab Patches Critical Runner Hijack and Multiple DoS Flaws in Emergency Release
GitLab released versions 18.5.1, 18.4.3, and 18.3.5 on October 22, 2025, fixing a critical runner hijack vulnerability and three denial-of-service flaws.
GitLab has released emergency patch versions 18.5.1, 18.4.3, and 18.3.5 for both Community Edition and Enterprise Edition, addressing multiple security vulnerabilities including a critical improper access control issue in the runner API. The most severe flaw, tracked as CVE-2025-11702, carries a CVSS score of 8.5 and could allow an authenticated user with specific permissions to hijack project runners from other projects. This vulnerability affects GitLab EE versions starting from 17.1 and was reported through GitLab's HackerOne bug bounty program by researcher iamgk808.
In addition to the runner hijack issue, GitLab patched three denial-of-service vulnerabilities. CVE-2025-10497 (CVSS 7.5) allows an unauthenticated attacker to cause a denial of service by sending specially crafted payloads to the event collection endpoint. CVE-2025-11447 (CVSS 7.5) exploits a flaw in JSON validation via GraphQL requests, enabling unauthenticated users to crash the service with crafted payloads. CVE-2025-11974 (CVSS 6.5) permits unauthenticated users to trigger a denial of service by uploading large files to specific API endpoints. Both CVE-2025-10497 and CVE-2025-11447 were reported by researcher a92847865.
The update also addresses several medium- and low-severity issues. CVE-2025-11971 (CVSS 6.5) is an incorrect authorization flaw in pipeline builds that could allow an authenticated user to trigger unauthorized pipeline executions by manipulating commits. CVE-2025-6601 (CVSS 3.8) is a business logic error in group memberships that could grant unauthorized project access through the access request approval workflow. CVE-2025-11989 (CVSS 3.7) is a missing authorization issue in quick actions that could allow an authenticated user to execute unauthorized commands.
GitLab strongly recommends that all self-managed installations upgrade to the latest patched version immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action. The company follows a policy of making vulnerability details public 30 days after the patch release. This release underscores the ongoing challenge of securing complex DevOps platforms, where even authenticated users can pose significant risks if access controls are not properly enforced.