GitLab Releases Security Patches Addressing Authentication Bypass and Denial-of-Service Flaws

GitLab released patch versions 18.6.1, 18.5.3, and 18.4.5 for Community Edition (CE) and Enterprise Edition (EE) to address critical security flaws.

These updates fix high-severity vulnerabilities, such as a race condition in CI/CD caching and multiple denial-of-service (DoS) issues that could disrupt services.

Administrators of self-managed GitLab instances must upgrade promptly, while GitLab.com already deploys the fixes, and Dedicated users require no action.​

Critical Vulnerabilities Fixed

The patches remediate six vulnerabilities, ranging from high to low severity, disclosed through GitLab’s HackerOne bug bounty program. Detailed technical reports become public 30 days post-release on the issue tracker.

Key flaws include CVE-2024-9183, a race condition in CI/CD cache handling that lets authenticated low-privilege users extract higher-privileged credentials and execute actions in their scope, given network access, high attack complexity, user interaction, and elevated scope impact (CVSS 3.1 vector: AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A: N, score 7.7).

Another high-risk issue, CVE-2025-12571, stems from flawed JSON input validation middleware, enabling unauthenticated attackers to trigger DoS via crafted malicious JSON requests over the network with low complexity (CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A: H, score 7.5).

CVE-2025-12653 involves an authentication bypass during account registration, allowing unauthenticated users to join unauthorized organizations remotely with low complexity (CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A: N, score 6.5).

Medium-severity problems include DoS in HTTP response processing (CVE-2025-7449, CVSS 6.5), improper authorization in EE markdown rendering that exposes security reports (CVE-2025-6195, CVSS 4.3), and low-severity info disclosure in Terraform registry logs that reveal tokens (CVE-2025-13611, CVSS 2.4).

CVE ID	Severity	CVSS Score	Vector	Affected Versions (CE/EE unless noted)
CVE-2024-9183	High	7.7	AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N	18.4 < 18.4.5, 18.5 < 18.5.3, 18.6 < 18.6.1 ​
CVE-2025-12571	High	7.5	AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	17.10 < 18.4.5, 18.5 < 18.5.3, 18.6 < 18.6.1 ​
CVE-2025-12653	Medium	6.5	AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N	18.3 < 18.4.5, 18.5 < 18.5.3, 18.6 < 18.6.1 ​

​Upgrade and Bug Fixes

Upgrades involve database migrations, causing downtime on single-node setups, but support zero-downtime on multi-node setups via proper procedures; version 18.6.1 includes post-deploy migrations.

Bug fixes across branches resolve issues like Container Registry bumps, custom role approvers for inherited users, Sidekiq CSS loading in Cloud Native GitLab, Zoekt rollout problems, and merge request polling races.

Reporters ninjafit, a92847865, pwnie, and mateuszek earned bounties. Follow GitLab’s handbook for best practices in securing instances.

​