GitLab Patches High-Severity DoS and SAML 2FA Bypass in Emergency Release
GitLab released versions 18.0.1, 17.11.3, and 17.10.7 on May 21, 2025, fixing multiple security vulnerabilities including a high-severity unauthenticated denial-of-service flaw and a SAML response manipulation bug that bypasses two-factor authentication.
GitLab has released emergency patch versions 18.0.1, 17.11.3, and 17.10.7 for both Community Edition and Enterprise Edition, addressing a total of ten security vulnerabilities. The most critical is CVE-2025-0993, a high-severity issue (CVSS 7.5) that allows an unauthenticated attacker to cause a denial of service by exhausting server resources via an unprotected large blob endpoint. This flaw affects all versions before the patched releases and was reported through GitLab's HackerOne bug bounty program.
Another notable vulnerability is CVE-2024-12093, a medium-severity bug (CVSS 6.8) that enables improper XPath validation, allowing modified SAML responses to bypass two-factor authentication requirements under specialized conditions. This issue has been present since version 11.1 and was reported by researcher joaxcar. The patch also fixes a medium-severity DoS via Discord webhook integration (CVE-2024-7803), an unbounded Kubernetes cluster token DoS (CVE-2025-3111), and an unvalidated notes position DoS (CVE-2025-2853).
Additional fixes address information disclosure risks. CVE-2025-4979 allows an attacker to reveal masked or hidden CI variables in the WebUI by creating their own variable and observing HTTP responses. Another medium-severity issue allows group access controls to bypass two-factor authentication requirements. Low-severity flaws include branch name confusion in confidential merge requests and unauthorized access to job data via GraphQL queries.
GitLab strongly recommends that all self-managed instances upgrade immediately to one of the patched versions. GitLab.com is already running the fixed version, and GitLab Dedicated customers do not need to take action. The company notes that security issue details are made public on their issue tracker 30 days after the patch release.
This patch release comes as GitLab continues to face scrutiny over its security posture. The vulnerabilities were discovered through its bug bounty program, highlighting the importance of community reporting. Organizations running self-managed GitLab instances should prioritize this update to prevent potential DoS attacks and authentication bypasses that could lead to unauthorized access.