CVE-2025-2934: 
GitLab vulnerability analysis and mitigation

GitLab has identified and remediated a security vulnerability (CVE-2025-2934) affecting GitLab Community Edition (CE) and Enterprise Edition (EE). The vulnerability affects all versions from 5.2 prior to 18.2.8, 18.3 prior to 18.3.4, and 18.4 prior to 18.4.2. This issue was initially reported to Ruby Core maintainers on July 17, 2025 (GitLab Release, NVD).

The vulnerability is classified as a Denial of Service (DoS) issue related to webhook endpoints. The issue stems from an upstream Ruby Core library vulnerability that could be exploited through malicious webhook endpoints sending crafted HTTP responses. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L. It has been categorized under CWE-770 (Allocation of Resources Without Limits or Throttling) (GitLab Release, NVD).

The vulnerability could allow an authenticated attacker to create a denial of service condition in the GitLab instance by configuring malicious webhook endpoints. This could potentially affect the availability of the GitLab service (GitLab Release).

GitLab has released patches for all affected versions. Users are strongly recommended to upgrade to GitLab versions 18.2.8, 18.3.4, or 18.4.2 or later, depending on their current version. GitLab.com has already been updated with the patched version, and GitLab Dedicated customers do not need to take any action (GitLab Release).