CVE-2025-0993: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. The vulnerability, identified as CVE-2025-0993, was reported through GitLab's HackerOne bug bounty program by researcher pwnie (GitLab Release, NVD).

The vulnerability is classified as high severity with a CVSS v3.1 base score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The issue stems from an unprotected large blob endpoint in GitLab that fails to implement proper resource allocation limits. The vulnerability is categorized under CWE-770 (Allocation of Resources Without Limits or Throttling) (NVD).

When exploited, this vulnerability allows an authenticated attacker to cause a denial of service condition by exhausting server resources. The impact primarily affects system availability, with no direct impact on confidentiality or integrity of the system (GBHackers).

GitLab has released patched versions 18.0.1, 17.11.3, and 17.10.7 to address this vulnerability. All GitLab installations running affected versions should be upgraded immediately to one of these patched versions. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Release).

The security community has highlighted this as one of the most severe vulnerabilities in GitLab's 2025 security updates. Security researchers note that this vulnerability demonstrates the growing importance of resource management in DevOps platforms (GBHackers).