GitLab Patches Multiple Vulnerabilities That Could Lead to Denial of Service and SSRF Attacks

GitLab has urgently released security patches for its Community (CE) and Enterprise (EE) editions, addressing multiple vulnerabilities, including two high-severity flaws that could lead to Server-Side Request Forgery (SSRF) and Denial of Service (DoS) attacks. The company strongly advises all administrators of self-managed GitLab installations to upgrade immediately to the newly released versions: 18.3.2, 18.2.6, and 18.1.6. These updates resolve a total of six security vulnerabilities, varying in severity. Customers using the cloud-hosted GitLab.com service are already protected, while GitLab Dedicated users do not need to take any action. The fixes are part of GitLab’s scheduled patch releases, aimed at promptly addressing security issues and bugs.

Among the critical vulnerabilities fixed in this release are a high-severity SSRF flaw, tracked as CVE-2025-6454, with a CVSS score of 8.5. This flaw existed in the Webhook custom header feature and could be exploited by an authenticated user to force the GitLab instance to make unintended internal requests within proxy environments. The second high-severity issue, CVE-2025-2256, is a DoS vulnerability with a CVSS score of 7.5, which could be exploited by an unauthenticated attacker sending multiple significant SAML responses, overwhelming the GitLab instance’s resources. Additionally, GitLab patched four medium-severity vulnerabilities, three of which could also result in DoS attacks. The company has credited several security researchers for discovering and reporting these vulnerabilities through its HackerOne bug bounty program. 

Categories: Security Patches, Vulnerabilities, Denial of Service 

Tags: GitLab, Security Patches, Community Edition, Enterprise Edition, Vulnerabilities, SSRF, Denial of Service, CVE-2025-6454, CVE-2025-2256, HackerOne