When a user adds a custom domain to their Pages site, no validation was being performed to ensure the domain was owned by that user. This issue allows an attacker to discover DNS records already pointing to the GitLab Page IP address which haven’t been claimed and potentially hijack them. This issue impacts all users who have created and then deleted custom domains using GitLab Pages, but still have the DNS records active.
As of now, adding custom domains is disabled. Implementing the validation mechanism for this is really great for security and assures the owner of the domain.