GitLab Patches Four Medium-Severity Flaws Including Unauthenticated CI/CD Variable Access
GitLab released versions 18.3.1, 18.2.5, and 18.1.5 on August 27, 2025, fixing four medium-severity vulnerabilities including an unauthenticated GraphQL endpoint that exposes sensitive CI/CD variables.
GitLab released versions 18.3.1, 18.2.5, and 18.1.5 for Community Edition (CE) and Enterprise Edition (EE) on August 27, 2025, addressing four medium-severity security vulnerabilities. The company strongly recommends that all self-managed installations upgrade immediately, while GitLab.com and GitLab Dedicated customers are already protected.
The most notable flaw, tracked as CVE-2025-2246 (CVSS 5.8), is a missing authentication issue in a GraphQL endpoint that allows unauthenticated users to access sensitive manual CI/CD variables. This vulnerability affects all GitLab versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1. The bug was reported by researcher pwnie through GitLab's HackerOne bug bounty program.
Two denial-of-service vulnerabilities were also patched. CVE-2025-3601 (CVSS 6.5) allows an authenticated attacker to cause a DoS condition by submitting URLs that generate excessively large responses during the import function. CVE-2025-4225 (CVSS 5.3) enables an unauthenticated attacker to trigger a denial-of-service condition affecting all users by sending specially crafted GraphQL requests. Both were reported through the bug bounty program.
The fourth vulnerability, CVE-2025-5101 (CVSS 5.0), is a code injection issue that allows an authenticated attacker to distribute malicious code that appears harmless in the web interface. The flaw exploits ambiguity between branches and tags during repository imports, potentially enabling supply-chain attacks against downstream users who pull from compromised repositories.
GitLab's patch release also includes numerous bug fixes across all three version streams, including fixes for container scanning SBOM generation, Mattermost update to v10.10.2, and various backports addressing namespace issues and CI pipeline optimizations.
This is the second security-focused patch release from GitLab in 2025, following a May 2026 emergency patch that fixed multiple high-severity XSS and DoS flaws. The company maintains a regular patch cadence with releases on the second and fourth Wednesdays of each month, though ad-hoc critical patches are issued for high-severity vulnerabilities.
Organizations running self-managed GitLab instances should prioritize upgrading to versions 18.3.1, 18.2.5, or 18.1.5 depending on their current deployment. The vulnerabilities underscore the importance of keeping CI/CD platforms patched, as they often serve as critical infrastructure for software development pipelines and can be leveraged for supply-chain attacks.