CVE-2025-1072: 
GitLab vulnerability analysis and mitigation

A Denial of Service (DoS) vulnerability (CVE-2025-1072) has been discovered in GitLab CE/EE affecting all versions starting from 7.14.1 prior to 17.3.7, 17.4 prior to 17.4.4, and 17.5 prior to 17.5.2. The vulnerability allows attackers to cause a denial of service condition through maliciously crafted content using the Fogbugz importer (GitLab Release, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability is related to resource allocation without limits or throttling (CWE-770) when processing Fogbugz importer payloads (NVD).

When exploited, this vulnerability can result in a denial of service condition affecting the GitLab instance's availability. The attack requires low complexity and can be executed remotely, though it requires low privileges to execute (GitLab Release).

GitLab has released patches to address this vulnerability in versions 17.3.7, 17.4.4, and 17.5.2. Users are strongly recommended to upgrade to these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Release).