CVE-2025-3601: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab CE/EE affecting all versions from 8.15 before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that could have allowed an authenticated user to cause a Denial of Service (DoS) condition by submitting URLs that generate excessively large responses (GitLab Release, NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability is related to allocation of resources without limits or throttling (CWE-770) and requires low privileges with network access vector. No user interaction is required to exploit this vulnerability (GitLab Release).

The vulnerability could allow an authenticated attacker to cause a Denial of Service (DoS) condition, affecting the availability of the GitLab instance. The impact is specifically focused on availability with no direct effect on confidentiality or integrity of the system (NVD).

GitLab has released patches to address this vulnerability in versions 18.1.5, 18.2.5, and 18.3.1. Users are strongly recommended to upgrade to these patched versions immediately. GitLab.com has already been updated with the security fix, and GitLab Dedicated customers do not need to take any action (GitLab Release).

The vulnerability was reported through GitLab's HackerOne bug bounty program by security researcher nermalt, demonstrating the effectiveness of GitLab's security response program (GitLab Release).