CVE-2025-2937: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab CE/EE (CVE-2025-2937) affecting all versions from 13.2 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users to create a denial of service condition by sending specially crafted markdown payloads to the Wiki feature. The vulnerability was disclosed on August 13, 2025, and has been assigned a CVSS v3.1 score of 6.5 (Medium) (GitLab Release).

The vulnerability is classified as an Inefficient Regular Expression Complexity issue (CWE-1333) affecting the Wiki feature in GitLab. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 MEDIUM with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility, low attack complexity, and requiring low privileges to exploit (NVD).

The vulnerability could allow authenticated users to create a denial of service condition by sending specially crafted markdown payloads to the Wiki feature, potentially affecting system availability. The impact is limited to availability with no direct effect on confidentiality or integrity of the system (GitLab Release).

GitLab has released patches to address this vulnerability in versions 18.0.6, 18.1.4, and 18.2.2. It is strongly recommended that all affected installations be upgraded to one of these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Release).

The vulnerability was reported through GitLab's HackerOne bug bounty program by security researcher yuki_osaki, demonstrating the effectiveness of GitLab's security research collaboration program (GitLab Release).