CVE-2025-11042: 
GitLab vulnerability analysis and mitigation

A Denial of Service vulnerability (CVE-2025-11042) was discovered in GitLab CE/EE affecting all versions starting from 17.2 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1. The vulnerability allows an authenticated user to cause uncontrolled CPU consumption through specific GraphQL queries (GitLab Release, NVD).

The vulnerability is classified as an 'Allocation of Resources Without Limits or Throttling' issue (CWE-770). It received a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L. The vulnerability specifically involves the GraphQL API's handling of unbounded array parameters, which can lead to excessive CPU resource consumption (GitLab Release).

When exploited, this vulnerability can cause uncontrolled CPU consumption, potentially leading to a Denial of Service (DoS) condition. This could affect the availability of the GitLab instance for legitimate users (GitLab Release).

GitLab has released patches in versions 18.4.1, 18.3.3, and 18.2.7 to address this vulnerability. Organizations are strongly recommended to upgrade to one of these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Release).

The vulnerability was discovered internally by GitLab team member Alisa Frunza, demonstrating GitLab's commitment to internal security research and responsible disclosure (GitLab Release).