What is the CVSS score of CVE-2025-13436?

CVE-2025-13436 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Gitlab are affected by CVE-2025-13436?

Organizations using GitLab CE/EE affecting all should be aware of notable risk from CVE-2025-13436 rated CVSS 6.5. Exploitation could compromise the security of affected deployments.. A patch is available.

Is there a public PoC exploit available for CVE-2025-13436?

Yes, a public proof-of-concept exploit is available for CVE-2025-13436. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-13436?

Within 30 days: Identify affected systems running GitLab CE/EE affecting all and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Gitlab CVE-2025-13436

EUVD-2025-208993 MEDIUM

Allocation of Resources Without Limits or Throttling (CWE-770)

2026-03-25 GitLab

GHSA-3f68-rg4r-xc3q

Denial Of Service Gitlab

6.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

18.10.1,18.8.7,18.9.3

PoC Detected

Mar 26, 2026 - 18:28 vuln.today

Public exploit code

EUVD ID Assigned

Mar 25, 2026 - 16:47 euvd

EUVD-2025-208993

Analysis Generated

Mar 25, 2026 - 16:47 vuln.today

CVE Published

Mar 25, 2026 - 16:34 nvd

MEDIUM 6.5

DescriptionNVD

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when handling certain CI-related inputs.

AnalysisAI

GitLab CE/EE contains a denial of service vulnerability in CI-related input handling that allows authenticated users to consume excessive server resources, potentially rendering the service unavailable. Versions 13.7 through 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 are affected across all GitLab installations. A publicly available proof-of-concept exists from HackerOne (report 3418149), though CISA has not flagged this for active exploitation in the wild, and the SSVC framework indicates no evidence of current weaponization despite automatable characteristics being unavailable.

Technical ContextAI

The vulnerability stems from CWE-770 (Allocation of Resources Without Limits or Throttling), a resource exhaustion weakness affecting GitLab's CI pipeline processing logic. The affected product is identified via CPE (cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*), indicating all GitLab installations regardless of deployment model are potentially vulnerable. The root cause lies in insufficient input validation and resource limits when processing certain CI configuration inputs, allowing an authenticated attacker to craft malicious CI job definitions or pipeline configurations that trigger unbounded resource allocation. This affects the GitLab CI/CD execution engine across multiple major version branches, suggesting the flaw exists in core pipeline parsing or scheduling logic rather than isolated feature components.

RemediationAI

Immediately upgrade to patched versions: GitLab 18.8.7 or later, GitLab 18.9.3 or later, or GitLab 18.10.1 or later depending on your current branch. Consult https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/ for exact upgrade procedures and release notes. As an interim control pending patching, implement CI job resource quotas at the runner and project level using GitLab's pipeline resource limits configuration to prevent unbounded resource consumption; restrict CI pipeline creation permissions to trusted users only; and monitor CI runner resource consumption for anomalous spikes that may indicate exploitation attempts. For organizations on unsupported version branches prior to 13.7, upgrade is mandatory as no patches are available.

More from same product – last 7 days

CVE-2026-3515 HIGH This Week

8.5 May 24

Command injection in Prefect 3.6.18's GitHub integration allows authenticated users to execute arbitrary git commands th

CVE-2026-9807 MEDIUM This Month POC

4.3 May 28

Incorrect authorization enforcement in GitLab CE/EE permits a blocked Project Access Token to continue reading private p

CVE-2026-4868 HIGH This Week

8.2 May 27

Identity confusion in GitLab EE's Duo AI workflow runners lets an authenticated, low-privileged user cause specific Duo

CVE-2026-1402 MEDIUM This Month

6.5 May 27

Denial of service in GitLab CE/EE affects all versions from 17.1 through those prior to 18.10.7, 18.11.4, and 19.0.1, al

CVE-2026-6713 MEDIUM This Month

5.3 May 27

Unauthorized private project enumeration in GitLab CE/EE exposes confidential project metadata to unauthenticated networ

CVE-2025-13436 vulnerability details – vuln.today

Back

Gitlab CVE-2025-13436

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code