Skip to main content

Gitlab CVE-2025-12664

| EUVD-2025-209365 HIGH
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-04-08 cve@gitlab.com GHSA-vjff-3wcf-gwp3
Denial Of Service Gitlab
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:01 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
18.10.3,18.8.9,18.9.5
EUVD ID Assigned
Apr 08, 2026 - 23:24 euvd
EUVD-2025-209365
Analysis Generated
Apr 08, 2026 - 23:24 vuln.today
CVE Published
Apr 08, 2026 - 23:16 nvd
HIGH 7.5

DescriptionNVD

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service by sending repeated GraphQL queries.

AnalysisAI

Denial of service in GitLab CE/EE versions 13.0 through 18.10.2 allows unauthenticated remote attackers to exhaust server resources via repeated GraphQL queries. Affects all installations from version 13.0 before patched releases 18.8.9, 18.9.5, and 18.10.3. Attackers can degrade or halt GitLab service availability without authentication, impacting development workflows and CI/CD pipelines. No public exploit identified at time of analysis.

Technical ContextAI

CWE-1284 (Improper Validation of Specified Quantity in Input) indicates GraphQL endpoint lacks proper rate limiting or query complexity controls. Repeated queries overwhelm server resources through uncontrolled request processing. Vulnerability persisted across major versions since GitLab 13.0, suggesting architectural resource management deficiency in GraphQL parser or execution layer.

RemediationAI

Vendor-released patch: upgrade immediately to GitLab 18.8.9, 18.9.5, or 18.10.3 depending on your major version track. If immediate patching is impossible, implement network-level rate limiting on GraphQL endpoints (/api/graphql) or temporarily restrict GraphQL access to authenticated sessions only via reverse proxy rules. Monitor resource utilization and implement query complexity limits if custom deployments allow. Full technical details in official advisory: https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/ and vendor work item: https://gitlab.com/gitlab-org/gitlab/-/work_items/579376

More from same product – last 7 days

CVE-2026-3515 HIGH
8.5 May 24

Command injection in Prefect 3.6.18's GitHub integration allows authenticated users to execute arbitrary git commands th
CVE-2026-9807 MEDIUM POC
4.3 May 28

Incorrect authorization enforcement in GitLab CE/EE permits a blocked Project Access Token to continue reading private p
CVE-2026-4868 HIGH
8.2 May 27

Identity confusion in GitLab EE's Duo AI workflow runners lets an authenticated, low-privileged user cause specific Duo

CVE-2026-1402 MEDIUM
6.5 May 27

Denial of service in GitLab CE/EE affects all versions from 17.1 through those prior to 18.10.7, 18.11.4, and 19.0.1, al
CVE-2026-6713 MEDIUM
5.3 May 27

Unauthorized private project enumeration in GitLab CE/EE exposes confidential project metadata to unauthenticated networ

Share

CVE-2025-12664 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy