CVE-2025-7337: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab CE/EE affecting all versions from 7.8 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2. The vulnerability (CVE-2025-7337) allows an authenticated user with Developer-level access to cause a persistent denial of service affecting all users on a GitLab instance by uploading large files. This medium-severity vulnerability was discovered through GitLab's HackerOne bug bounty program by researcher pwnie (GitLab Release).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N). The scope is unchanged (S:U), with no impact on confidentiality (C:N) or integrity (I:N), but high impact on availability (A:H). The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) (NVD).

When exploited, this vulnerability can cause a persistent denial of service condition that affects all users on a GitLab instance. The impact is specifically focused on system availability, with no direct effect on data confidentiality or integrity. The persistent nature of the denial of service suggests that the system remains unavailable until administrative intervention is performed (GitLab Release).

GitLab has released patches to address this vulnerability in versions 18.3.2, 18.2.6, and 18.1.6 for both Community Edition (CE) and Enterprise Edition (EE). Organizations are strongly recommended to upgrade to these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take any action as their instances are automatically updated (GitLab Release).