CVE-2025-11974: 
GitLab vulnerability analysis and mitigation

GitLab has identified a denial of service vulnerability (CVE-2025-11974) affecting both Community Edition (CE) and Enterprise Edition (EE) versions from 11.7 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1. The vulnerability was discovered internally by GitLab team member David Fernandez and was patched in the October 2025 security release (GitLab Patch).

The vulnerability allows an unauthenticated user to create a denial of service condition by uploading large files to specific API endpoints. The issue has been assigned a CVSS score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. This indicates that the vulnerability can be exploited over the network with low attack complexity, requires low privileges, and primarily impacts system availability (GitLab Patch).

When successfully exploited, the vulnerability can result in a denial of service condition, potentially making the GitLab instance unavailable to legitimate users. The impact is primarily focused on system availability, with no direct effect on confidentiality or integrity of the system (Security Online).

GitLab has released patches in versions 18.5.1, 18.4.3, and 18.3.5 for both CE and EE editions. Organizations are strongly recommended to upgrade to these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take any action (GitLab Patch).

Ubuntu has noted that GitLab is no longer maintainable as a distribution package and has been removed from Ubuntu. They have explicitly stated they will not be fixing security issues in the GitLab package (Ubuntu Security).