GitLab has addressed a critical security issue that permitted attackers with knowledge of a victim’s credential ID to circumvent two-factor authentication through forged device responses, alongside multiple high-severity flaws threatening the platform’s availability. The DevSecOps platform, which serves over 30 million registered users and more than half of Fortune 100 companies, released patches in versions 18.8.2, 18.7.2, and 18.6.4 for both Community Edition and Enterprise Edition to remediate these vulnerabilities.
The company also fixed two high-severity denial-of-service flaws that enable unauthenticated attackers to crash GitLab instances by transmitting specially crafted requests with malformed authentication data and by exploiting incorrect authorisation validation in API endpoints. These vulnerabilities, tracked as CVE-2025-13927 and CVE-2025-13928, pose significant risks to business continuity as they require no login credentials to execute, potentially shutting down entire development operations. Additional medium-severity DoS vulnerabilities were patched, including issues related to malformed Wiki documents that bypass cycle detection and repeated malformed SSH authentication requests.
GitLab has strongly recommended that all self-managed installations upgrade immediately to the latest patched versions, while GitLab.com has already deployed the security updates. The convergence of authentication bypass and denial-of-service capabilities creates a particularly dangerous security emergency for enterprise users who depend on GitLab as backbone infrastructure for software development. Organisations running vulnerable versions face both unauthorised access risks and the possibility of complete pipeline disruption from attackers who can exploit these flaws without authenticated access to the platform.