CVE-2025-10004: 
GitLab vulnerability analysis and mitigation

GitLab has identified and remediated a Denial of Service vulnerability (CVE-2025-10004) affecting GitLab Community Edition (CE) and Enterprise Edition (EE). The vulnerability affects all versions from 13.12 to 18.2.8, 18.3 to 18.3.4, and 18.4 to 18.4.2. This security issue was discovered through GitLab's HackerOne bug bounty program by researcher pwnie (GitLab Patch, NVD).

The vulnerability allows attackers to make GitLab instances unresponsive or severely degraded by sending crafted GraphQL queries requesting large repository blobs. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) (GitLab Patch, NVD).

The vulnerability can result in denial of service conditions, making GitLab instances unresponsive or severely degraded. This impacts the availability of GitLab services, potentially affecting all users of the affected instances (GitLab Patch).

GitLab has released patches in versions 18.4.2, 18.3.4, and 18.2.8 to address this vulnerability. Organizations are strongly recommended to upgrade to these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Patch).