CVE-2025-3279: 
GitLab vulnerability analysis and mitigation

A Denial of Service vulnerability (CVE-2025-3279) was discovered in GitLab CE/EE affecting all versions from 10.7 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1. The vulnerability was disclosed on June 25, 2025, and affects both GitLab Community Edition (CE) and Enterprise Edition (EE) installations (GitLab Release, NVD).

The vulnerability allows authenticated attackers to create a Denial of Service (DoS) condition by sending crafted GraphQL requests. The issue has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability has been classified under CWE-770 (Allocation of Resources Without Limits or Throttling) (NVD, Wiz).

The vulnerability can result in a Denial of Service condition affecting the availability of GitLab instances. The CVSS scoring indicates high impact on availability while maintaining no impact on confidentiality or integrity of the system (GitLab Release).

GitLab has released patches in versions 18.1.1, 18.0.3, and 17.11.5 to address this vulnerability. Organizations are strongly recommended to upgrade to these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Release).

The vulnerability was reported through GitLab's HackerOne bug bounty program. Ubuntu has acknowledged the vulnerability but noted that GitLab isn't maintainable as a distribution package and was removed from Ubuntu due to maintenance challenges (Ubuntu).