CVE-2025-1754: 
GitLab vulnerability analysis and mitigation

A missing authentication vulnerability (CVE-2025-1754) was discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1. The vulnerability was disclosed on June 25, 2025, and allows unauthenticated attackers to upload arbitrary files to public projects through crafted API requests (GitLab Patch, NVD).

The vulnerability is classified with a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The issue is categorized under CWE-306 (Missing Authentication for Critical Function). The vulnerability allows attackers to exploit the system through crafted API requests that bypass authentication controls (GitLab Patch, NVD).

The vulnerability could lead to resource abuse and unauthorized content storage in public projects. Attackers could potentially upload arbitrary files to public projects without authentication, compromising system resources and potentially storing malicious content (GitLab Patch).

GitLab has released patches in versions 17.11.5, 18.0.3, and 18.1.1 to address this vulnerability. It is strongly recommended that all affected installations be upgraded to one of these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Patch).

The vulnerability was reported through GitLab's HackerOne bug bounty program by security researcher abdelrahman_maged, demonstrating the effectiveness of GitLab's security response program (GitLab Patch).