GitLab has issued critical security updates to address 11 vulnerabilities across its Community
Edition (CE) and Enterprise Edition (EE) platforms, including several high-risk flaws that could lead to denial-of-service (DoS) attacks.
The release includes versions 18.0.1, 17.11.3, and 17.10.7, reflecting GitLab’s latest efforts to defend against various attack methods that could disrupt operations through resource exhaustion, authentication issues, and data exposure threats.
This marks GitLab’s most extensive security response of 2025, impacting all deployment types such as omnibus, source code, and helm chart setups. The company strongly advises all users managing their own GitLab instances to upgrade without delay. GitLab.com has already been updated with the latest patches.
Critical Vulnerability: Large Blob Endpoint
The most serious vulnerability, identified as CVE-2025-0993, allows authenticated users to exhaust server resources by exploiting an unprotected large blob endpoint. This issue has been rated 7.5 on the CVSS v3.1 scale.
The vulnerability affects all unpatched versions and lets attackers overload systems by submitting oversized data repeatedly. Git blobs, which store file contents in repositories, are central to this vulnerability. While GitLab already applies a rate limit of five requests per minute for blobs larger than 10 MB, this safeguard proved insufficient under specific conditions.
GitLab's security team confirmed that this issue could lead to prolonged system outages if left unaddressed.
Medium-Severity DoS Vulnerabilities
The update also resolves several medium-severity DoS flaws:
- CVE-2025-3111 (CVSS 6.5): Unrestricted generation of Kubernetes cluster tokens due to poor input validation could cause service disruptions.
- CVE-2025-2853 (CVSS 6.5): Improper validation of note positions may allow authenticated users to trigger system failures.
- CVE-2024-7803 (CVSS 6.5): A flaw in the Discord webhook integration, present in all versions from 11.6 up to the patched release, can be used for DoS attacks.
Past reports have shown that webhook functionalities in GitLab are susceptible to abuse, particularly since there is no enforced rate limit on webhook requests, which could allow attackers to flood a victim’s server.
GitLab's Recommendations
To mitigate the risks, GitLab recommends the following steps:
- Update GitLab immediately: All installations using vulnerable versions should be upgraded to the most recent release without delay.
- Enforce strong input validation: Most of the vulnerabilities stem from inadequate checks on user input, especially involving blobs, note positions, and Kubernetes tokens.
- Monitor resource usage: Tools like htop and dmesg -T -w can help track CPU and memory activity, making it easier to spot attacks in progress.
- Configure object storage wisely: For large-scale deployments, setting storage limits and using external object storage can reduce risks tied to large blob uploads.
These updates highlight the ongoing difficulties in securing DevOps environments, especially when dealing with large files and third-party integrations that may be vulnerable to resource-based attacks.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
