CVE-2025-0993: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. The vulnerability, identified as CVE-2025-0993, was reported through GitLab's HackerOne bug bounty program by researcher pwnie. The vulnerability is classified as high severity with a CVSS v3.1 base score of 7.5 (GitLab Release, NVD).

The vulnerability is categorized under CWE-770 (Allocation of Resources Without Limits or Throttling) and stems from an unprotected large blob endpoint in GitLab that fails to implement proper resource allocation limits. The CVSS v3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD, Wiz).

When exploited, this vulnerability allows an authenticated attacker to cause a denial of service condition by exhausting server resources. The impact primarily affects system availability, with no direct impact on confidentiality or integrity of the system (Wiz).

GitLab has released patched versions 18.0.1, 17.11.3, and 17.10.7 to address this vulnerability. All GitLab installations running affected versions should be upgraded immediately to one of these patched versions. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Release).

The security community has highlighted this as one of the most severe vulnerabilities in GitLab's 2025 security updates. Security researchers note that this vulnerability demonstrates the growing importance of resource management in DevOps platforms (Wiz).