Gitlab Patches Multiple Vulnerabilities that Enable Authentication Bypass and DoS Attacks

GitLab has released critical security updates for its Community Edition (CE) and Enterprise Edition (EE) to address multiple high-severity vulnerabilities.

The patches, rolled out in versions 18.6.1, 18.5.3, and 18.4.5, fix security flaws that could allow attackers to bypass authentication, steal user credentials, or crash servers through Denial-of-Service (DoS) attacks.

Security experts and GitLab administrators are being urged to upgrade their self-managed installations immediately. GitLab.com has already been patched to protect users.

Credential Theft and System Crashes

The most concerning vulnerability in this release is CVE-2024-9183, a high-severity issue labeled as a “race condition” in the CI/CD cache.

This flaw could allow an authenticated attacker to steal credentials from users with higher privileges.

By exploiting this timing error, a malicious user could take over administrative accounts or perform unauthorized actions.

CVE ID	Severity	Type	Description
CVE-2024-9183	High	Privilege Escalation	A race condition in CI/CD cache allowing users to obtain higher-privileged credentials.
CVE-2025-12571	High	Denial of Service	Unauthenticated users can crash the system via malicious JSON input.
CVE-2025-12653	Medium	Auth Bypass	Unauthenticated users could join arbitrary organizations by altering headers.
CVE-2025-7449	Medium	Denial of Service	Authenticated users can cause a crash via HTTP response processing.
CVE-2025-6195	Medium	Improper Authorization	(EE Only) Users could view restricted security reports under certain conditions.
CVE-2025-13611	Low	Info Disclosure	Leak of sensitive tokens in the terraform registry logs.

Another major fix addresses CVE-2025-12571, a dangerous Denial-of-Service flaw.

This vulnerability allows unauthenticated attackers without a username or password to crash a GitLab instance by sending a malicious JSON request.

This type of attack could take an organization’s code repositories offline, disrupting development workflows.

Authentication Bypasses

The update also resolves CVE-2025-12653, a medium-severity issue that could allow unauthenticated users to bypass security checks and join arbitrary organizations by manipulating network request headers.

While less severe than the crash flaw, this bypass poses a significant risk to organizational privacy and access control.

The following table details the security issues resolved in this patch release:

GitLab strongly recommends that all customers running affected versions upgrade to the latest patch immediately. Upgrade targets: Versions 18.6.1, 18.5.3, or 18.4.5.

Impact: Single-node instances will experience downtime during the upgrade due to database migrations. Multi-node instances can perform zero-downtime upgrades.

Failure to update leaves installations exposed to attackers who can now analyze the public patches to reverse-engineer exploits.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.