CVE-2025-11447: 
GitLab vulnerability analysis and mitigation

GitLab has identified and remediated a security vulnerability (CVE-2025-11447) affecting GitLab Community Edition (CE) and Enterprise Edition (EE) versions from 11.0 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1. The vulnerability was discovered and reported through GitLab's HackerOne bug bounty program by user a92847865 (GitLab Release).

The vulnerability is related to JSON validation in GitLab's GraphQL implementation. The issue allows unauthenticated attackers to cause a denial of service condition by sending specially crafted JSON payloads through GraphQL requests. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The weakness has been categorized as CWE-770 (Allocation of Resources Without Limits or Throttling) (NVD Database).

The vulnerability enables unauthenticated attackers to cause denial of service conditions in affected GitLab installations. This could potentially disrupt service availability for legitimate users of the GitLab instance (GitLab Release).

GitLab has released patches in versions 18.5.1, 18.4.3, and 18.3.5 to address this vulnerability. Organizations running affected versions are strongly recommended to upgrade to one of these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take any action (GitLab Release).