CVE-2025-0290
📋 TL;DR
A denial-of-service vulnerability in GitLab CE/EE allows attackers to cause background jobs to become unresponsive by exploiting CI artifacts metadata processing. This affects all GitLab instances running vulnerable versions, potentially disrupting CI/CD pipelines and automated workflows.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of GitLab background job processing, halting CI/CD pipelines, automated deployments, and other scheduled tasks, leading to significant operational impact.
Likely Case
Degraded performance of GitLab background jobs, causing delays in CI/CD pipeline execution and automated processes, potentially affecting development workflows.
If Mitigated
Minimal impact with proper monitoring and job queue management, though some performance degradation may still occur during attack conditions.
🎯 Exploit Status
Exploitation requires specific conditions in CI artifacts metadata processing; likely requires authenticated access to trigger.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 17.5.5, 17.6.3, or 17.7.1 depending on current version
Vendor Advisory: https://gitlab.com/gitlab-org/gitlab/-/issues/372134
Restart Required: Yes
Instructions:
1. Backup GitLab instance and database. 2. Update to patched version: 17.5.5, 17.6.3, or 17.7.1. 3. Run 'gitlab-ctl reconfigure'. 4. Restart GitLab services. 5. Verify background jobs are functioning normally.
🔧 Temporary Workarounds
Monitor and Restart Background Jobs
linuxImplement monitoring for background job queues and manually restart stuck jobs
gitlab-rake gitlab:background_jobs:check
gitlab-ctl restart sidekiq
Limit CI Artifact Uploads
allRestrict CI artifact upload sizes and frequency to reduce attack surface
Set CI_ARTIFACTS_MAX_SIZE in gitlab.rb
Configure job artifacts expiration
🧯 If You Can't Patch
- Implement strict access controls for CI/CD pipeline configuration and artifact uploads
- Deploy monitoring for background job queue health and implement automated alerting for job failures
🔍 How to Verify
Check if Vulnerable:
Check GitLab version: gitlab-rake gitlab:env:info | grep 'Version:'Check Version:
gitlab-rake gitlab:env:info | grep 'Version:'Verify Fix Applied:
Verify version is 17.5.5, 17.6.3, or 17.7.1 or higher, and monitor background job processing📡 Detection & Monitoring
Log Indicators:
- Sidekiq job processing delays in production.log
- Background job timeout errors
- Increased job queue lengths
Network Indicators:
- Increased response times for GitLab API endpoints
- Delayed webhook deliveries
SIEM Query:
source="gitlab" ("sidekiq stuck" OR "background job timeout" OR "job queue backlog")