GitLab Patch Release: 18.4.1, 18.3.3, 18.2.7

Today, we are releasing versions 18.4.1, 18.3.3, 18.2.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, please visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.

We are committed to ensuring that all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. To maintain good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.

Recommended Action

We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, it means all types are affected.

Security fixes

Table of security fixes

Title	Severity
Denial of Service issue when uploading specifically crafted JSON files impacts GitLab CE/EE	High
Denial of Service issue bypassing query complexity limits impacts GitLab CE/EE	High
Information disclosure issue in virtual registery configuration for low privileged users impacts GitLab CE/EE	Medium
Privilege Escalation issue from within the Developer role impacts GitLab EE	Medium
Denial of Service issue in GraphQL API via Unbounded Array Parameters impacts GitLab CE/EE	Medium
Improper Authorization issue for Project Maintainers when assigning roles impacts GitLab EE	Low
Denial of Service issue in GraphQL API blobSearch impacts GitLab CE/EE	Low
Incorrect ownership assignment via Move Issue drop-down impacts GitLab CE/EE	Low
Denial of Service issue via string conversion methods impacts GitLab CE/EE	Low

CVE-2025-10858 - Denial of Service issue when uploading specifically crafted JSON files impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an unauthenticated user to render a GitLab instance unresponsive to legitimate users by sending specifically crafted JSON files.

Impacted versions: GitLab CE/EE: all versions before 18.2.7, 18.3 before 18.3.1, and 18.4 before 18.4.1
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVE-2025-8014 - Denial of Service issue bypassing query complexity limits impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an unauthenticated user to bypass query complexity limits leading to a Denial of Service condition.

Impacted versions: Gitlab EE/CE all versions from 11.10 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVE-2025-9958 - Information disclosure issue in virtual registry configuration for low privileged users impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed low privileged users access to sensitive information stored in virtual registry configurations.

Impacted versions: GitLab CE/EE all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1
CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N)

Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-7691 - Privilege Escalation issue from within the Developer role impacts GitLab EE

GitLab has remediated an issue that could have allowed a developer with specific group management permissions to escalate their privileges and obtain unauthorized access to additional system capabilities.

Impacted versions: GitLab EE all versions from 16.6 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1
CVSS: 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

Thanks rogerace for reporting this vulnerability through our HackerOne bug bounty program.

Denial of Service issue in GraphQL API via Unbounded Array Parameters impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user to cause uncontrolled CPU consumption, potentially leading to a Denial of Service condition while using specific GraphQL queries.

Impacted versions: GitLab CE/EE all versions starting from 17.2 before 18.2.7, 18.3 before 18.3.1, and 18.4 before 18.4.1
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

We have requested a CVE ID and will update this blog post when it is assigned.

This vulnerability has been discovered internally by GitLab team member Alisa Frunza.

CVE-2025-10871 - Improper Authorization issue for Project Maintainers when assigning roles impacts GitLab EE

GitLab has remediated an issue that could allow Project Maintainers improper authorization to assign custom roles to users exceeding the Project Maintainer's security boundary and achieving elevated privileges.

Impacted versions: GitLab EE all versions from 16.6 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1
CVSS: 3.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L)

This vulnerability was discovered internally by a GitLab team member, Diane Russel.

CVE-2025-10867 - Denial of Service issue in GraphQL API blobSearch impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user to create a Denial of Service condition by exploiting an unprotected GraphQL API through repeated requests.

Impacted versions: GitLab CE/EE all versions from 18.1 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L)

This vulnerability has been discovered internally by GitLab team member Terri Chu

CVE-2025-5069 - Incorrect ownership assignment via Move Issue drop-down impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user to gain unauthorized access to confidential issues by creating a project with an identical name, potentially having users transfer sensitive information to the incorrect project.

Impacted versions: GitLab CE/EE all versions from 17.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Thanks foxribeye for reporting this vulnerability through our HackerOne bug bounty program.

CVE-2025-10868 - Denial of Service issue via string conversion methods impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated user to cause performance degradation, potentially leading to a Denial of Service condition with certain string conversion methods.

Impacted versions: GitLab CE/EE all versions from 17.4 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L)

postgreSQL security updates

postgreSQL has been updated to version 16.10 which contains fixes for security vulnerabilities including CVE-2025-8713, CVE-2025-8714 and CVE-2025-8715

Bug fixes

18.4.1

• Backport of Update the admin user for GET Release Environment QA tests
• [18.4] Backport: Resolve "Unable to fork project or create project if application wide lock_duo_features_enabled is true"
• Backport of Add Danger message to guide backport MR authors to reviewers and mergers (18.4)
• Backport of 'Prevent deleting group/project when ancestor is marked for deletion at the service level'
• 18.4: Backport of 'Fix error when applying scanner suggestion'
• Backport of Ensure proper MCP URL OAuth Discovery for API/V4/MCP
• Fix database state leak across specs
• Optimize HandleMalformedStrings middleware for CPU and memory
• Backport protected branches dropdown copy fix to 18.4
• [18.4] Fix flaky parallel design management uploads spec
• Backport of (Fix FetchModelDefinitionsService) !205687
• Backport: Add documentation on how to add DUO_WORKFLOW_SELF_SIGNED_JWT__SIGNING_KEY for DAP installations
• Backport of 'Geo: fix ActiveRecord::StatementInvalid: PG::UndefinedColumn when querying reverification count'
• Backport of Return success when status update target already matches
• [18.4] Allow elastic client adapter to be set
• Backport of Use isUnsafeLink for xcode protocol
• Ensure assets get recompiled if cached-assets-hash.txt is empty
• 18.4 Backport of 'Resolve "Dependency list export with API silently fails license validation"'
• CI: Make Ubuntu 22.04 FIPS check EE-only (Backport)

18.3.3

• Backport 'Bump default ruby version to 3.2.9'
• Backport of "Use release-environment project id instead of canonical"
• Backport of 'Danger to not warn in maintained stable branches' to 18.3
• Backport of "Upgrade duo workflow client protocol version"
• Backport of "Filter out duplicate values from the variable options dropdown"
• 18.3: Backport of 'Fix security widget polling indefinitely when there are sboms'
• [18.3 backport] Remove CVE-2025-8714 commands from structure.sql
• Backport 18.3: Do not trim deployment filename in geo secondary
• [Backport-18.3]Wiki search throws 500 error for some wiki content
• [18.3] Fix search admin page error when ES server returns forbidden
• Backport of "Hide secrets manager settings behind feature flag instead of just the license" to 18.3
• Backport of Update the admin user for GET Release Environment QA tests
• [18.3] Backport: Resolve "Unable to fork project or create project if application wide lock_duo_features_enabled is true"
• Backport of Add Danger message to guide backport MR authors to reviewers and mergers (18.3)
• [Backport 18-3] Skip secret push protection for as-if-foss pipeline
• 18.3: Backport of 'Fix error when applying scanner suggestion'
• Backport of Ensure proper MCP URL OAuth Discovery for API/V4/MCP
• Optimize HandleMalformedStrings middleware for CPU and memory
• Backport to 18.3 of Add job project claims to CI ID Tokens
• Backport of Return success when status update target already matches
• [18.3] Fix flaky parallel design management uploads spec
• Backport 'Fix branches autocomplete paths in the merge request list app' to 18-3
• Backport 'Fix Linked file not being on top of the list' to 18-3
• [18.3] Allow elastic client adapter to be set
• Backport of Use isUnsafeLink for xcode protocol
• 18.3 Backport of 'Resolve "Dependency list export with API silently fails license validation"'
• Backport: Fix registry matadata database password creation
• Fall back to c_rehash if there are multiple TLS certificates

18.2.7

• Backport of diff comment suggestions line range fix
• [18.2] Fix search admin page error when ES server returns forbidden
• [Backport 18.2] Wiki search throws 500 error for some wiki content
• Backport of 'Danger to not warn in maintained stable branches' to 18.2
• Backport 18.2: Do not trim deployment filename in geo secondary
• Backport of "Use release-environment project id instead of canonical"
• 18.2: Backport of 'Fix security widget polling indefinitely when there are sboms'
• Backport of Update the admin user for GET Release Environment QA tests
• [Backport 18-2] Skip secret push protection for as-if-foss pipeline
• Backport of Add Danger message to guide backport MR authors to reviewers and mergers (18.2)
• 18.2: Backport of 'Fix error when applying scanner suggestion'
• Optimize HandleMalformedStrings middleware for CPU and memory
• Backport to 18.2 of Add job project claims to CI ID Tokens
• [18.2] Backport: Resolve "Unable to fork project or create project if application wide lock_duo_features_enabled is true"
• [18.2] Fix flaky parallel design management uploads spec
• Fall back to c_rehash if there are multiple TLS certificates

Important notes on upgrading

These versions do not include any new migrations, and for multi-node deployments, should not require any downtime.

Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure file, which is only used for updates.

Updating

To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.

Receive Patch Notifications

To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.