GitLab Patches Six Vulnerabilities Including Unauthenticated File Upload and DoS Flaw
GitLab released versions 18.1.1, 18.0.3, and 17.11.5 on June 25, 2025, fixing six security vulnerabilities, including a medium-severity flaw allowing unauthenticated file uploads to public projects.
GitLab released emergency patch versions 18.1.1, 18.0.3, and 17.11.5 on June 25, 2025, addressing six security vulnerabilities affecting both Community and Enterprise Editions. The most notable flaw, CVE-2025-1754 (CVSS 5.3), allows unauthenticated attackers to upload arbitrary files to public projects via crafted API requests, potentially leading to resource abuse and unauthorized content storage. This issue impacts all self-managed GitLab instances running versions 17.2 through the affected ranges, and GitLab.com was already patched before the public disclosure.
Another medium-severity vulnerability, CVE-2025-3279 (CVSS 6.5), enables authenticated attackers to trigger a denial-of-service condition by sending specially crafted GraphQL requests. The flaw affects all GitLab versions from 10.7 up to the patched releases, and was reported by researcher pwnie through GitLab's HackerOne bug bounty program. GitLab has also fixed CVE-2025-5315 (CVSS 4.3), an improper access control issue allowing Guest users to add child items to incident work items via API calls that bypass UI-imposed role restrictions.
A lower-severity elevation-of-privilege bug, CVE-2025-2938 (CVSS 3.1), was patched to prevent authenticated users from gaining unintended elevated permissions during project access request approval processes. Additionally, CVE-2025-5846 (CVSS 2.7) affects GitLab Enterprise Edition only, allowing authenticated users to assign unrelated compliance frameworks to projects via crafted GraphQL mutations. This last issue was reported internally by GitLab team member Joern Schneeweisz.
GitLab strongly recommends that all self-managed installations running affected versions — from 10.7 through 18.1.x — upgrade immediately to one of the patched releases. GitLab.com is already running the fixed software, and GitLab Dedicated customers do not need to take action. The company follows a patch release cadence of two scheduled releases per month, plus ad-hoc critical patches for high-severity vulnerabilities. Full technical details for each vulnerability will be made public on GitLab's issue tracker 30 days after this release.
The patch batch also includes numerous bug fixes backported to each version stream, addressing issues ranging from LFS file download restrictions to wiki comment stability and CI pipeline performance. This release underscores the ongoing challenge of securing large, self-hosted development platforms where multiple versions are simultaneously supported, as attackers actively probe for gaps between patch cycles.