Impact of PostgreSQL CVE-2025-1094 vulnerability on GitLab

Description

PostgreSQL has released information about a security vulnerability, CVE-2025-1094, that affects multiple versions of PostgreSQL. This article explains the impact on GitLab installations and the required actions.

Affected Environments

For GitLab.com and GitLab Dedicated customers:

  • GitLab is handling the necessary PostgreSQL upgrades for these environments
  • No action is required from customers

For GitLab Self-Managed customers:

  • This vulnerability affects specific versions of PostgreSQL listed in CVE-2025-1094.
  • All GitLab Linux packages using an affected PostgreSQL version will be impacted.
  • All GitLab installations using an external / non-packaged PostgreSQL server listed in CVE-2025-1094 will be impacted.

Impact

This is a security vulnerability CVE-2025-1094 that affects multiple PostgreSQL versions. GitLab installations using these PostgreSQL versions should be upgraded.

Solution

Self-managed installations using vulnerable PostgreSQL versions, will need to upgrade their version of Postgres. The steps will vary based on whether you are using the packaged PostgreSQL server or an external PostgreSQL server.

Upgrade packaged PostgreSQL

If using the PostgreSQL server shipped with the Linux package, upgrade GitLab to a release with a version of PostgreSQL not impacted by CVE-2025-1094.

  • For GitLab 17.9.x, upgrade to 17.9.2 or later
  • For GitLab 17.8.x, upgrade to 17.8.5 or 17.9.2 and later
  • For GitLab 17.7.x, upgrade to 17.7.7 or 17.8.5+

Upgrade external/non-packaged PostgreSQL

  • Follow any specific instructions from your database platfrom to upgrade PostgreSQL and address CVE-2025-1094.
  • GitLab provides information for minor-version PostgreSQL upgradess in the upgrading external PostgreSQL databases docs.
  • Plan to upgrade GitLab to take advantage of the other fixes in this critical patch release.

Additional information

  • Further details on these critical patch releases can be found in the GitLab Critical Patch Release: 17.9.2, 17.8.5, 17.7.7 blog post.
  • GitLab may backport fixes to earlier versions than our standard security backport policy would typically cover, potentially including version 17.8.

Related Links

On this page...