How to fix CVE-2025-12664?

Within 24 hours: Inventory all GitLab instances and identify those running versions 13.0-18.10.2. Within 7 days: Upgrade affected installations to patched versions (18.8.9, 18.9.5, or 18.10.3 minimum). Within 30 days: Implement monitoring for abnormal GraphQL query patterns and establish rate-limiting policies on GraphQL endpoints as defense-in-depth.

Is Gitlab affected by CVE-2025-12664?

CVE-2025-12664 is a high-severity denial-of-service vulnerability affecting GitLab CE/EE versions 13.0 through 18.10.2 that allows unauthenticated attackers to exhaust server resources and disrupt development and CI/CD operations.

CVE-2025-12664

EUVD-2025-209365 HIGH

2026-04-08 [email protected]

GHSA-vjff-3wcf-gwp3

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Apr 08, 2026 - 23:24 euvd

EUVD-2025-209365

Analysis Generated

Apr 08, 2026 - 23:24 vuln.today

CVE Published

Apr 08, 2026 - 23:16 nvd

HIGH 7.5

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service by sending repeated GraphQL queries.

Analysis

Denial of service in GitLab CE/EE versions 13.0 through 18.10.2 allows unauthenticated remote attackers to exhaust server resources via repeated GraphQL queries. Affects all installations from version 13.0 before patched releases 18.8.9, 18.9.5, and 18.10.3. Attackers can degrade or halt GitLab service availability without authentication, impacting development workflows and CI/CD pipelines. No public exploit identified at time of analysis.

Technical Context

CWE-1284 (Improper Validation of Specified Quantity in Input) indicates GraphQL endpoint lacks proper rate limiting or query complexity controls. Repeated queries overwhelm server resources through uncontrolled request processing. Vulnerability persisted across major versions since GitLab 13.0, suggesting architectural resource management deficiency in GraphQL parser or execution layer.

Affected Products

GitLab Community Edition and Enterprise Edition. Vendor: GitLab. Versions: 13.0 through 18.8.8, 18.9.0 through 18.9.4, 18.10.0 through 18.10.2. CPE: cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*, cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Remediation

Vendor-released patch: upgrade immediately to GitLab 18.8.9, 18.9.5, or 18.10.3 depending on your major version track. If immediate patching is impossible, implement network-level rate limiting on GraphQL endpoints (/api/graphql) or temporarily restrict GraphQL access to authenticated sessions only via reverse proxy rules. Monitor resource utilization and implement query complexity limits if custom deployments allow. Full technical details in official advisory: https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/ and vendor work item: https://gitlab.com/gitlab-org/gitlab/-/work_items/579376

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: 0

CVE-2025-12664 vulnerability details – vuln.today

Back

CVE-2025-12664

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-12664

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code