Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when handling certain CI-related inputs.
AnalysisAI
GitLab CE/EE contains a denial of service vulnerability in CI-related input handling that allows authenticated users to consume excessive server resources, potentially rendering the service unavailable. Versions 13.7 through 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 are affected across all GitLab installations. A publicly available proof-of-concept exists from HackerOne (report 3418149), though CISA has not flagged this for active exploitation in the wild, and the SSVC framework indicates no evidence of current weaponization despite automatable characteristics being unavailable.
Technical ContextAI
The vulnerability stems from CWE-770 (Allocation of Resources Without Limits or Throttling), a resource exhaustion weakness affecting GitLab's CI pipeline processing logic. The affected product is identified via CPE (cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*), indicating all GitLab installations regardless of deployment model are potentially vulnerable. The root cause lies in insufficient input validation and resource limits when processing certain CI configuration inputs, allowing an authenticated attacker to craft malicious CI job definitions or pipeline configurations that trigger unbounded resource allocation. This affects the GitLab CI/CD execution engine across multiple major version branches, suggesting the flaw exists in core pipeline parsing or scheduling logic rather than isolated feature components.
RemediationAI
Immediately upgrade to patched versions: GitLab 18.8.7 or later, GitLab 18.9.3 or later, or GitLab 18.10.1 or later depending on your current branch. Consult https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/ for exact upgrade procedures and release notes. As an interim control pending patching, implement CI job resource quotas at the runner and project level using GitLab's pipeline resource limits configuration to prevent unbounded resource consumption; restrict CI pipeline creation permissions to trusted users only; and monitor CI runner resource consumption for anomalous spikes that may indicate exploitation attempts. For organizations on unsupported version branches prior to 13.7, upgrade is mandatory as no patches are available.
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.
The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab af
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions sta
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-208993
GHSA-3f68-rg4r-xc3q