GitLab Fixes High-Severity DoS Flaws: Unauthenticated Attackers Could Crash Instances

GitLab has released security updates for versions 18.4.1, 18.3.3, and 18.2.7 of its Community Edition (CE) and Enterprise Edition (EE). The company urges all self-managed users to upgrade immediately, warning that the fixes include several high-severity vulnerabilities that could expose instances to denial of service and information disclosure attacks.

High-Severity Vulnerabilities

CVE-2025-10858 (CVSS 7.5) – DoS via Crafted JSON Files

GitLab patched a vulnerability that could let an unauthenticated attacker render a GitLab instance unresponsive by uploading specifically crafted JSON files. The company explains, “GitLab has remediated an issue that could have allowed an unauthenticated user to render a GitLab instance unresponsive to legitimate users by sending specifically crafted JSON files.”

CVE-2025-8014 (CVSS 7.5) – DoS via Query Complexity Bypass

Another denial of service bug allowed unauthenticated attackers to bypass query complexity limits. According to GitLab, “GitLab has remediated an issue that could have allowed an unauthenticated user to bypass query complexity limits leading to a Denial of Service condition.”

Other Fixed Vulnerabilities

• CVE-2025-9958 – Information disclosure in virtual registry configurations (CVSS 6.8)
• CVE-2025-7691 – Privilege escalation from the Developer role (CVSS 6.5)
• GraphQL API DoS via Unbounded Array Parameters – uncontrolled CPU consumption (CVSS 4.3)
• CVE-2025-10871 – Improper authorization by Project Maintainers when assigning roles (CVSS 3.8)
• CVE-2025-10867 – DoS in GraphQL API blobSearch (CVSS 3.5)
• CVE-2025-5069 – Incorrect ownership assignment via Move Issue drop-down (CVSS 3.5)
• CVE-2025-10868 – DoS via string conversion methods (CVSS 3.5)
• PostgreSQL Security Updates – GitLab has also updated PostgreSQL to version 16.10, fixing CVE-2025-8713, CVE-2025-8714, and CVE-2025-8715

Administrators of self-managed GitLab instances should upgrade immediately to 18.4.1, 18.3.3, or 18.2.7.

Related Posts:

• GitLab Releases Security Updates: XSS and Authorization Bypass Flaws Patched
• GitLab Releases Security Update to Patch XSS and Account Takeover Flaws
• GitLab Patches High-Severity Flaws: Update Now to Prevent XSS and Account Takeover
• GitLab Update: High-Severity XSS & Data Exposure Flaws Patched