EUVD-2025-208991

| CVE-2025-13078 MEDIUM
2026-03-25 GitLab GHSA-237m-4vqc-855x
6.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
PoC Detected
Mar 26, 2026 - 18:29 vuln.today
Public exploit code
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2025-208991
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:35 nvd
MEDIUM 6.5

Tags

Gitlab Denial Of Service

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when processing certain webhook configuration inputs.

Analysis

GitLab CE/EE contains a denial of service vulnerability in webhook configuration processing that allows authenticated users to consume excessive server resources, affecting versions 16.10 through 18.10.0. An attacker with valid GitLab credentials can trigger this issue by submitting specially crafted webhook configuration inputs, resulting in application unavailability. A proof-of-concept exploit is publicly available via HackerOne, and patches are available for affected versions.

Technical Context

The vulnerability stems from improper resource consumption handling in GitLab's webhook configuration subsystem, classified under CWE-1284 (Improper Validation of Specified Quantity in Input). When processing webhook configuration data, GitLab fails to adequately validate or limit resource allocation for certain input patterns, allowing authenticated users to trigger algorithmic complexity attacks or memory exhaustion. The affected product is GitLab CE/EE (cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*), a widely-deployed DevOps platform. The root cause involves insufficient input validation in the webhook handling logic, enabling attackers to craft requests that force the application into computationally expensive or memory-intensive operations without appropriate guards or rate-limiting.

Affected Products

GitLab CE and EE are affected across multiple version branches. Specifically, GitLab versions from 16.10 prior to 18.8.7 are vulnerable, as are versions 18.9 prior to 18.9.3, and versions 18.10 prior to 18.10.1. The vulnerability has been confirmed via CPE (cpe:2.3:a:gitlab:gitlab). Patches are available: upgrade to GitLab 18.8.7, 18.9.3, 18.10.1, or later versions. For detailed patching information and release notes, refer to the official GitLab patch release announcement at https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/ and the GitLab security tracking issue at https://gitlab.com/gitlab-org/gitlab/-/work_items/580488.

Remediation

Immediately upgrade GitLab to version 18.8.7, 18.9.3, 18.10.1, or later, depending on your current branch. Consult the official GitLab patch release at https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/ for version-specific guidance. Until patching is feasible, implement rate-limiting on webhook configuration endpoints at the application or reverse-proxy level to prevent rapid, repeated submissions. Restrict webhook configuration privileges to a minimal set of trusted users and monitor system resource consumption (CPU, memory) during webhook operations for anomalous spikes. Review audit logs for suspicious webhook configuration activity from low-privilege accounts. Additionally, isolate GitLab from other critical services on shared infrastructure to contain potential DoS impact.

Priority Score

53
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +32
POC: +20

Share

EUVD-2025-208991 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy