Security Vulnerabilities: GitLab Developers Advise Prompt Update

To protect GitLab instances against potential attacks, admins should install available security patches promptly. If this is not done, attackers can exploit seven security vulnerabilities.

In a warning message, the developers assure that they have closed the vulnerabilities in versions 18.3.5, 18.4.3, and 18.5.1 of GitLab Community Edition (CE) and Enterprise Edition (EE). The secured versions are reportedly already running on GitLab.com. Even though there are no reports of attacks so far, the developers strongly advise installing the patches as soon as possible.

Various Dangers

Three vulnerabilities (CVE-2025-11702, CVE-2025-10497, CVE-2025-11447) are classified with the threat level "high". If authenticated attackers with specific privileges successfully exploit the first vulnerability, they can gain control over Project Runners. These are helper tools that execute CI jobs in the context of software projects. In the other two cases, DoS attacks are possible without authentication, which typically leads to crashes. These three vulnerabilities were reported through the HackerOne bug bounty program.

In the remaining cases, attackers can, among other things, unlawfully access certain areas and thus view software projects, for example. These vulnerabilities are assigned the threat levels "medium" and "low".

In addition to resolving security issues, the developers have also fixed various bugs in the current releases, according to their own statements.

Most recently, there were security updates for GitLab in September to close several DoS security vulnerabilities.

(des)