.jpg)
![[The AI Show Episode 148]: Microsoft’s Quiet AI Layoffs, US Copyright Office’s Bombshell AI Guidance, 2025 State of Marketing AI Report, and OpenAI Codex](https://www.marketingaiinstitute.com/hubfs/ep%20148%20cover%20%281%29.png)
![[The AI Show Episode 146]: Rise of “AI-First” Companies, AI Job Disruption, GPT-4o Update Gets Rolled Back, How Big Consulting Firms Use AI, and Meta AI App](https://www.marketingaiinstitute.com/hubfs/ep%20146%20cover.png)
![[DEALS] Babbel Language Learning: Lifetime Subscription (All Languages) (71% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
![Borderlands 4 Boss Says 'A Real Fan' Will Pay $80 For Games [Update]](https://i.kinja-img.com/image/upload/c_fill,h_675,pg_1,q_80,w_1200/086e4654c281e40d12b833591d2c6fdc.jpg)
_Constantine_Soutiaguin-Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![Nomad levels up its best-selling charger with new 100W slim adapter [Hands-on]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2025/05/100w-FI.jpg.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Google just showed off Android Auto’s upcoming light theme [Gallery]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/05/android-auto-light-theme-documentation-2.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Jony Ive and OpenAI Working on AI Device With No Screen [Kuo]](https://www.iclarified.com/images/news/97401/97401/97401-640.jpg)
![Anthropic Unveils Claude 4 Models That Could Power Apple Xcode AI Assistant [Video]](https://www.iclarified.com/images/news/97407/97407/97407-640.jpg)
![Apple Leads Global Wireless Earbuds Market in Q1 2025 [Chart]](https://www.iclarified.com/images/news/97394/97394/97394-640.jpg)
Multiple GitLab Vulnerabilities Let Attackers Trigger DoS Attacks
GitLab has released critical security patches addressing 11 vulnerabilities across its Community Edition (CE) and Enterprise Edition (EE) platforms, with several high-risk flaws enabling denial-of-service (DoS) attacks. The coordinated release of versions 18.0.1, 17.11.3, and 17.10.7 comes as the DevOps platform confronts multiple attack vectors that could destabilize systems through resource exhaustion, authentication bypasses, and […] The post Multiple GitLab Vulnerabilities Let Attackers Trigger DoS Attacks appeared first on Cyber Security News.
GitLab has released critical security patches addressing 11 vulnerabilities across its Community Edition (CE) and Enterprise Edition (EE) platforms, with several high-risk flaws enabling denial-of-service (DoS) attacks.
The coordinated release of versions 18.0.1, 17.11.3, and 17.10.7 comes as the DevOps platform confronts multiple attack vectors that could destabilize systems through resource exhaustion, authentication bypasses, and data exposure risks.
This security update represents GitLab’s most comprehensive remediation effort in 2025, impacting all deployment models including omnibus, source code, and helm chart installations.
The company strongly recommends that all self-managed GitLab installations be upgraded immediately, while noting that GitLab.com is already running the patched version.
Critical Large Blob Endpoint Vulnerability
The most severe vulnerability (CVE-2025-0993) enables authenticated attackers to trigger server resource exhaustion through an unprotected large blob endpoint, scoring 7.5 on the CVSS v3.1 scale.
This high-severity flaw affects all installations prior to the patched versions, allowing threat actors to overwhelm systems by repeatedly submitting oversized data payloads.
A Git blob (binary large object) is the object type used to store the contents of each file in a repository.
The vulnerability appears to exploit GitLab’s handling of these blobs, which for sizes larger than 10 MB already have a rate limit of 5 requests per minute.
The security team confirmed this vulnerability could sustain prolonged downtime in unprotected environments.
Medium-Severity DoS Attack Vectors Patched
Several additional medium-severity DoS vectors were identified and addressed in this release:
- CVE-2025-3111 (CVSS 6.5): Unbounded Kubernetes cluster tokens could lead to DoS. A lack of input validation in the Kubernetes integration allows authenticated users to cause a denial of service by generating excessive tokens.
- CVE-2025-2853 (CVSS 6.5): Unvalidated notes position may lead to Denial of Service. A lack of proper validation in GitLab could allow an authenticated user to trigger a DoS condition.
- CVE-2024-7803 (CVSS 6.5): A Discord webhook integration may cause DoS. This vulnerability affects all versions from 11.6 before the patched releases.
Previous research has shown that webhook functionality in GitLab can be abused for DoS attacks.
As noted in one bug report: “Since there is no rate limit on the gitlab.com webhook function, attackers can use this to send a lot of requests to the victims server”.
GitLab urges administrators to take immediate action:
Upgrade immediately: “We strongly recommend that all installations running a version affected by the issues described are upgraded to the latest version as soon as possible”.
Apply proper input validation: Many of the vulnerabilities stem from inadequate validation of user inputs, particularly for blobs, notes positions, and Kubernetes tokens.
Monitor system resources: During potential attacks, monitoring CPU and memory usage can help identify exploitation attempts.
Commands like htop for general system memory usage and dmesg -T -w for kernel logs can be valuable diagnostic tools.
Consider object storage configuration: For large instances, configuring proper object storage with appropriate limits can help mitigate blob-related attacks.
These vulnerabilities collectively demonstrate the ongoing challenges in securing complex DevOps platforms against resource exhaustion attacks, particularly when handling large binary objects and external integrations.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
The post Multiple GitLab Vulnerabilities Let Attackers Trigger DoS Attacks appeared first on Cyber Security News.
.webp?#)
