Security: Redis version used by GitLab CE 18.5.1 affected by CVE-2025-49844 (9.9 CVSS)

Hello GitLab Team,

we are currently operating GitLab CE in version 18.5.1 and are reviewing security advisories as part of our continuous compliance obligations.

The BSI (Federal Office for Information Security, Germany) issued a high-level security bulletin (BITS-H Nr. 2025-287813-1032) referencing CVE-2025-49844 (CVSS 9.9) regarding Redis:

🔗 https://github.com/redis/redis/security/advisories/GHSA-4789-qfc9-5f9q

According to our analysis, GitLab CE 18.5.1 still includes a Redis version that is affected by this vulnerability.

Questions:

1. Will this Redis version be updated in a future GitLab release?
2. Is there a scheduled patch date?
3. Are there any recommended workarounds or mitigation measures in the meantime?

This issue is time-sensitive for us due to internal compliance and external audit requirements.

Many thanks in advance for your clarification and ongoing support.

Best regards,

René Mütterlein

Staatsbetrieb Sächsiche Informatikdienste (SID)