GitLab GraphQL API Vulnerabilities Allow Unauthorized Actions and Denial-of-Service

EXECUTIVE SUMMARY:

A pair of high-severity vulnerabilities have been identified in GitLab’s GraphQL API, tracked as CVE-2025-11340 and CVE-2025-10004. These flaws affect both GitLab Community Edition (CE) and Enterprise Edition (EE) and could allow attackers to perform unauthorized operations or trigger denial-of-service conditions, compromising the integrity and availability of GitLab instances.[emaillocker id="1283"]

• CVE-2025-11340: This vulnerability carries a CVSS v3.1 score of 7.3 (High). It stems from improper authorization handling in certain GraphQL mutations, allowing authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records. Exploitation of this flaw could lead to modification of sensitive project data and unintended state changes within GitLab’s vulnerability management features.
• CVE-2025-10004: Rated 7.5 (High) under CVSS v3.1, this vulnerability arises from improper handling of repository blob queries within the GraphQL API. An attacker could craft malicious GraphQL queries requesting excessively large blob contents, causing resource exhaustion and denial of service (DoS) against the affected GitLab instance. This impacts both CE and EE editions across multiple supported versions.

These vulnerabilities pose a significant threat to enterprise GitLab deployments, particularly those accessible to internal or external users through API integrations. Successful exploitation could lead to data integrity violations, service downtime, or disruption of CI/CD operations.

RECOMMENDATION:

We strongly recommend you update GitLab Community Edition (CE) and Enterprise Edition (EE) to versions 18.4.2, 18.3.4, or 18.2.8 or later.

REFERENCES:

The following reports contain further technical details:

https://securityonline.info/gitlab-patches-two-high-severity-flaws-in-graphql-api-affecting-both-ce-and-ee-editions/