CVE-2025-11042: 
GitLab vulnerability analysis and mitigation

A Denial of Service vulnerability (CVE-2025-11042) was discovered in GitLab CE/EE affecting all versions starting from 17.2 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1. The vulnerability allows an authenticated user to cause uncontrolled CPU consumption through specific GraphQL queries, potentially leading to a Denial of Service (DoS) condition (GitLab Release, NVD).

The vulnerability is related to unbounded array parameters in the GraphQL API, which could be exploited to cause excessive CPU consumption. The issue has been assigned a CVSS v3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L. The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) (GitLab Release).

When exploited, this vulnerability can lead to uncontrolled CPU consumption on the affected GitLab instance, potentially causing service degradation or complete unavailability for legitimate users. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system (GitLab Release).

GitLab has released patches for this vulnerability in versions 18.4.1, 18.3.3, and 18.2.7. Organizations running affected versions should upgrade immediately to one of these patched versions. GitLab.com has already been updated with the security fix, and GitLab Dedicated customers do not need to take any action (GitLab Release).