GitLab Patch Release: 18.0.1, 17.11.3, 17.10.7

Today we are releasing versions 18.0.1, 17.11.3, 17.10.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.

Security fixes

Table of security fixes

Title	Severity
Unprotected large blob endpoint in GitLab allows Denial of Service	High
Improper XPath validation allows modified SAML response to bypass 2FA requirement	Medium
A Discord webhook integration may cause DoS	Medium
Unbounded Kubernetes cluster tokens may lead to DoS	Medium
Unvalidated notes position may lead to Denial of Service	Medium
Hidden/masked variables may get exposed in the UI	Medium
Two-factor authentication requirement bypass	Medium
View full email addresses that should be partially obscured	Medium
Branch name confusion in confidential MRs	Low
Unauthorized access to job data via a GraphQL query	Low

Unprotected large blob endpoint in GitLab allows Denial of Service

An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. This could allow an authenticated attacker to cause a denial of service condition by exhausting server resources. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5). It is now mitigated in the latest release and is assigned CVE-2025-0993.

Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.

Improper XPath validation allows modified SAML response to bypass 2FA requirement

An issue has been discovered in GitLab CE/EE affecting all versions from 11.1 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Improper XPath validation allowed modified SAML responses to bypass 2FA requirement under specialized conditions. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N, 6.8). It is now mitigated in the latest release and is assigned CVE-2024-12093.

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

A Discord webhook integration may cause DoS

An issue has been discovered in GitLab CE/EE affecting all versions from 11.6 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A Discord webhook integration may cause DoS. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-7803.

Thanks a92847865 for reporting this vulnerability through our HackerOne bug bounty program.

Unbounded Kubernetes cluster tokens may lead to DoS

An issue has been discovered in GitLab CE/EE affecting all versions from 10.2 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of input validation in the Kubernetes integration could allow an authenticated user to cause denial of service. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). It is now mitigated in the latest release and is assigned CVE-2025-3111.

Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.

Unvalidated notes position may lead to Denial of Service

An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of proper validation in GitLab could allow an authenticated user to cause a denial of service condition. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). It is now mitigated in the latest release and is assigned CVE-2025-2853.

Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.

Hidden/masked variables may get exposed in the UI

An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. An attacker may be able to reveal masked or hidden CI variables (that they did not author) in the WebUI, by simply creating their own variable and observing the HTTP response. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, 4.9). It is now mitigated in the latest release and is assigned CVE-2025-4979.

This vulnerability was discovered internally by a GitLab team member.

Two-factor authentication requirement bypass

An issue has been discovered in GitLab CE/EE affecting all versions from 16.8 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Group access controls could allow certain users to bypass two-factor authentication requirements. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N, 4.6). It is now mitigated in the latest release and is assigned CVE-2025-0605.

Thanks salh4ckr for reporting this vulnerability through our HackerOne bug bounty program.

View full email addresses that should be partially obscured

An issue has been discovered in GitLab CE/EE affecting all versions from 17.1 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Under certain conditions un-authorised users can view full email addresses that should be partially obscured. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2025-0679.

Thanks mateuszek for reporting this vulnerability through our HackerOne bug bounty program.

Branch name confusion in confidential MRs

A business logic error in GitLab CE/EE affecting all versions starting from 12.1 prior to 17.10.7, 17.11 prior to 17.11.3 and 18.0 prior to 18.0.1 where an attacker can cause a branch name confusion in confidential MRs. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N, 3.5). It is now mitigated in the latest release and is assigned CVE-2024-9163.

Thanks foxribeye for reporting this vulnerability through our HackerOne bug bounty program.

Unauthorized access to job data via a GraphQL query

An issue has been discovered in GitLab CE/EE affecting all versions from 18.0 before 18.0.1. In certain circumstances, a user with limited permissions could access Job Data via a crafted GraphQL query. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N, 2.7). It is now mitigated in the latest release and is assigned CVE-2025-1110.

Thanks pwnie for reporting this vulnerability through our HackerOne bug bounty program.

Mattermost Security Updates April 29, 2025

Mattermost has been updated to apply the latest patches for low and medium level security issues.

Bug fixes

18.0.1

• Fix CI_COMMIT_REF tags of FIPS build images
• Bump gitlab-shell to v14.42.0 - 18.0 backport
• [Backport] Do not run index integrity worker for zoekt search
• Update gitlab-qa to 15.5.0
• Add outbound allowlist to allowed endpoints for SSRF filter
• Apply Rails 7-1-stable patches to fix type map init issues
• KAS: remove unsupported GitOps config (18.0 backport)

17.11.3

• Backport 17.11: Generate separate project and group work items fixtures
• [BACKPORT] Fix flaky specs in Import::GitHubService
• [backport] Fixed command palette edge case
• Delete BBM backfill_project_id_for_projects_with_pipeline_variables backport to 17.11
• Add backport to fix shortSHA uniqueness
• [backport] 17.11: Enable FF_TIMESTAMPS for stable branch pipelines
• [backport] Add a ping? check before hitting Elasticsearch in admin
• [Backport]Autocomplete: Change user authorization to use terms query for projects
• Bump gitlab-shell to v14.42.0
• Respect product usage data setting from charts
• Merge branch 'tbulva-zoekt-global-search-bug' into 'master'
• Add outbound allowlist to allowed endpoints for SSRF filter
• Drop ci_runner_machines_archived table
• 17.11: Use no_longer_detected_ids when auto-resolving vulnerabilities
• Update outdated test certificates [17.11]
• Revert "Merge branch 'renovate/pgbouncer-pgbouncer-1.x' into 'master'"
• Ensure correct version of Nginx modules gets included in the package

17.10.7

• Backport 17.10: Generate separate project and group work items fixtures
• [BACKPORT] Fix flaky specs in Import::GitHubService
• [backport] 17.10: Enable FF_TIMESTAMPS for stable branch pipelines
• Bump gitlab-shell to v14.42.0
• Drop ci_runner_machines_archived table
• Update outdated test certificates [17.10]
• Ensure correct version of Nginx modules gets included in the package

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.