GitLab Patches Four Vulnerabilities Including High-Severity Authorization and DoS Flaws
GitLab released versions 18.4.2, 18.3.4, and 18.2.8 on October 8, 2025, fixing four vulnerabilities including a high-severity authorization bypass in GraphQL mutations and a denial-of-service flaw.
GitLab released versions 18.4.2, 18.3.4, and 18.2.8 on October 8, 2025, addressing four security vulnerabilities that affect both Community Edition (CE) and Enterprise Edition (EE). The patch release includes fixes for an incorrect authorization issue in GraphQL mutations, a denial-of-service vulnerability via crafted GraphQL queries, a missing authorization issue exposing CI/CD variables, and a denial-of-service flaw in webhook endpoints. GitLab strongly recommends that all self-managed installations upgrade immediately, while GitLab.com and GitLab Dedicated customers are already protected.
The most severe vulnerability, tracked as CVE-2025-11340, carries a CVSS score of 7.7 and affects GitLab EE only. This incorrect authorization issue in GraphQL mutations could allow authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records. The flaw was discovered internally by GitLab team member Brian Williams and impacts all versions from 18.3 to 18.3.4 and 18.4 to 18.4.2.
A second high-severity vulnerability, CVE-2025-10004 (CVSS 7.5), affects both GitLab CE and EE. This denial-of-service issue allows an unauthenticated attacker to make the GitLab instance unresponsive or degraded by sending crafted GraphQL queries that request large repository blobs. The vulnerability impacts versions from 13.12 through 18.2.8, 18.3 to 18.3.4, and 18.4 to 18.4.2. It was reported by researcher pwnie through GitLab's HackerOne bug bounty program.
Two medium-severity vulnerabilities were also patched. CVE-2025-9825 (CVSS 5.0) is a missing authorization issue in manual jobs that could allow authenticated users without project membership to view sensitive manual CI/CD variables by querying the GraphQL API. This flaw, reported by researcher joaxcar, affects versions from 13.7 through 18.2.8, 18.3 before 18.3.4, and 18.4 before 18.4.2. CVE-2025-2934 (CVSS 4.3) is a denial-of-service issue in webhook endpoints that allows an authenticated user to create a denial-of-service condition by configuring malicious webhook endpoints that send crafted HTTP responses. This issue, reported by researcher ppee, was also reported to Ruby Core maintainers on July 17, 2025, and affects versions from 5.2 prior to 18.2.8, 18.3 prior to 18.3.4, and 18.4 prior to 18.4.2.
In addition to security fixes, the patch releases include numerous bug fixes addressing issues such as pipeline helper safety chaining, Workhorse HTTP handling for DWS proxy, Geo event worker fixes, and various backports for CI/CD, work item transfers, and session management. The full list of bug fixes is available in the GitLab patch release notes.
GitLab's patch release cycle includes both scheduled releases, which occur twice a month on the second and fourth Wednesdays, and ad-hoc critical patches for high-severity vulnerabilities. The company typically makes vulnerability details public on its issue tracker 30 days after the patched release. This release underscores the importance of maintaining up-to-date installations, particularly for self-managed instances that handle sensitive code and CI/CD pipelines. Organizations running affected versions should prioritize upgrading to versions 18.4.2, 18.3.4, or 18.2.8 to mitigate the risk of unauthorized access, data exposure, and service disruption.