CVE-2025-3601: 
GitLab vulnerability analysis and mitigation

A resource allocation vulnerability (CVE-2025-3601) was discovered in GitLab CE/EE affecting all versions from 8.15 before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1. The vulnerability was disclosed on August 27, 2025, and allows authenticated users to cause a Denial of Service (DoS) condition by submitting URLs that generate excessively large responses (GitLab Patch, NVD).

The vulnerability is classified as CWE-770 (Allocation of Resources Without Limits or Throttling) and received a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The attack requires network access and low privileges but no user interaction, potentially affecting the availability of the system (NVD).

When exploited, this vulnerability can lead to a Denial of Service (DoS) condition affecting the availability of GitLab instances. The impact is limited to system availability, with no direct effect on confidentiality or integrity (GitLab Patch).

GitLab has released patches in versions 18.1.5, 18.2.5, and 18.3.1 to address this vulnerability. Organizations are strongly recommended to upgrade to these patched versions immediately. GitLab.com has already been updated with the fix, and GitLab Dedicated customers do not need to take any action (GitLab Patch).