GitLab Patches Two High-Severity Flaws in GraphQL API Affecting Both CE and EE Editions

GitLab has released important updates addressing two high-severity vulnerabilities that impact both its Community Edition (CE) and Enterprise Edition (EE) products. The flaws — CVE-2025-11340 and CVE-2025-10004 — affect recent releases of GitLab up to version 18.4.2, and could allow attackers to either perform unauthorized write operations or trigger denial-of-service conditions through crafted GraphQL queries.

The first vulnerability, CVE-2025-11340, affects GitLab Enterprise Edition and has been rated 7.7 (High) under the CVSS v3.1 scoring system.

GitLab explains that this flaw could allow authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records — a direct violation of intended permission boundaries.

As stated in the advisory, “GitLab has remediated an issue that, under certain conditions, could have allowed authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records by exploiting incorrectly scoped GraphQL mutations.”

The second high-severity issue, CVE-2025-10004, impacts both GitLab CE and EE and has been assigned a CVSS score of 7.5 (High).

This flaw resides in the GraphQL blob type functionality and can be exploited remotely by sending crafted GraphQL queries requesting extremely large repository blobs. Successful exploitation could make a GitLab instance unresponsive or significantly degrade performance.

The advisory warns, “GitLab has remediated an issue that could make the GitLab instance unresponsive or degraded by sending crafted GraphQL queries requesting large repository blobs.”

Unlike CVE-2025-11340, this vulnerability does not require authentication, which greatly increases its attack surface — particularly for publicly accessible GitLab instances.

While the update also addresses several moderate- and low-severity issues — including CVE-2025-9825 (authorization flaw in CI/CD variables) and CVE-2025-2934 (webhook-based DoS) — GitLab prioritized the two GraphQL vulnerabilities for immediate remediation.

GitLab strongly urges administrators of self-managed and on-premise deployments to upgrade immediately to 18.4.2, 18.3.4, or 18.2.8.

Related Posts:

• Unauthenticated path traversal vulnerability in Hasura GraphQL Engine
• CVE-2025-27407 (CVSS 9.1): Critical GraphQL-Ruby Flaw Exposes Millions to RCE
• Critical GitLab Vulnerability Allows Attackers to Run Pipelines as Other Users
• GitLab Releases Urgent Security Patches for Critical Vulnerability
• GitLab Releases Security Updates: XSS and Authorization Bypass Flaws Patched