What is the CVSS score of CVE-2025-13078?

CVE-2025-13078 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Gitlab are affected by CVE-2025-13078?

Organizations using GitLab CE/EE affecting all should be aware of notable risk from CVE-2025-13078 rated CVSS 6.5. Exploitation could compromise the security of affected deployments.. A patch is available.

Is there a public PoC exploit available for CVE-2025-13078?

Yes, a public proof-of-concept exploit is available for CVE-2025-13078. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-13078?

Within 30 days: Identify affected systems running GitLab CE/EE affecting all and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Gitlab CVE-2025-13078

EUVD-2025-208991 MEDIUM

Improper Validation of Specified Quantity in Input (CWE-1284)

2026-03-25 GitLab

GHSA-237m-4vqc-855x

Denial Of Service Gitlab

6.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

18.10.1,18.8.7,18.9.3

PoC Detected

Mar 26, 2026 - 18:29 vuln.today

Public exploit code

EUVD ID Assigned

Mar 25, 2026 - 16:47 euvd

EUVD-2025-208991

Analysis Generated

Mar 25, 2026 - 16:47 vuln.today

CVE Published

Mar 25, 2026 - 16:35 nvd

MEDIUM 6.5

DescriptionNVD

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when processing certain webhook configuration inputs.

AnalysisAI

GitLab CE/EE contains a denial of service vulnerability in webhook configuration processing that allows authenticated users to consume excessive server resources, affecting versions 16.10 through 18.10.0. An attacker with valid GitLab credentials can trigger this issue by submitting specially crafted webhook configuration inputs, resulting in application unavailability. A proof-of-concept exploit is publicly available via HackerOne, and patches are available for affected versions.

Technical ContextAI

The vulnerability stems from improper resource consumption handling in GitLab's webhook configuration subsystem, classified under CWE-1284 (Improper Validation of Specified Quantity in Input). When processing webhook configuration data, GitLab fails to adequately validate or limit resource allocation for certain input patterns, allowing authenticated users to trigger algorithmic complexity attacks or memory exhaustion. The affected product is GitLab CE/EE (cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*), a widely-deployed DevOps platform. The root cause involves insufficient input validation in the webhook handling logic, enabling attackers to craft requests that force the application into computationally expensive or memory-intensive operations without appropriate guards or rate-limiting.

RemediationAI

Immediately upgrade GitLab to version 18.8.7, 18.9.3, 18.10.1, or later, depending on your current branch. Consult the official GitLab patch release at https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/ for version-specific guidance. Until patching is feasible, implement rate-limiting on webhook configuration endpoints at the application or reverse-proxy level to prevent rapid, repeated submissions. Restrict webhook configuration privileges to a minimal set of trusted users and monitor system resource consumption (CPU, memory) during webhook operations for anomalous spikes. Review audit logs for suspicious webhook configuration activity from low-privilege accounts. Additionally, isolate GitLab from other critical services on shared infrastructure to contain potential DoS impact.

More from same product – last 7 days

CVE-2026-3515 HIGH This Week

8.5 May 24

Command injection in Prefect 3.6.18's GitHub integration allows authenticated users to execute arbitrary git commands th

CVE-2026-9807 MEDIUM This Month POC

4.3 May 28

Incorrect authorization enforcement in GitLab CE/EE permits a blocked Project Access Token to continue reading private p

CVE-2026-4868 HIGH This Week

8.2 May 27

Identity confusion in GitLab EE's Duo AI workflow runners lets an authenticated, low-privileged user cause specific Duo

CVE-2026-1402 MEDIUM This Month

6.5 May 27

Denial of service in GitLab CE/EE affects all versions from 17.1 through those prior to 18.10.7, 18.11.4, and 19.0.1, al

CVE-2026-6713 MEDIUM This Month

5.3 May 27

Unauthorized private project enumeration in GitLab CE/EE exposes confidential project metadata to unauthenticated networ

CVE-2025-13078 vulnerability details – vuln.today

Back

Gitlab CVE-2025-13078

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code