CVE-2025-2937: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab CE/EE affecting all versions from 13.2 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users to create a denial of service condition by sending specially crafted markdown payloads to the Wiki feature. The vulnerability was assigned CVE-2025-2937 and was discovered through GitLab's HackerOne bug bounty program (GitLab Patch).

The vulnerability is classified as an Inefficient Regular Expression Complexity issue affecting the Wiki feature in GitLab. It has been assigned a CVSS v3.1 score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The weakness is categorized under CWE-1333 (Inefficient Regular Expression Complexity) (NVD Database, GitLab Patch).

The vulnerability could allow authenticated users to create a denial of service condition in the GitLab instance by sending specially crafted markdown payloads to the Wiki feature. This could potentially affect the availability of the GitLab service for other users (GitLab Patch).

GitLab has released patches to address this vulnerability in versions 18.0.6, 18.1.4, and 18.2.2. It is strongly recommended that all affected installations be upgraded to the latest patched version immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Patch).

The vulnerability was discovered and reported through GitLab's HackerOne bug bounty program by researcher yuki_osaki. The discovery and patching process followed GitLab's standard security practices, with the vulnerability being addressed in a scheduled security release (GitLab Patch).