EUVD-2025-208993

| CVE-2025-13436 MEDIUM
2026-03-25 GitLab GHSA-3f68-rg4r-xc3q
6.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
PoC Detected
Mar 26, 2026 - 18:28 vuln.today
Public exploit code
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2025-208993
CVE Published
Mar 25, 2026 - 16:34 nvd
MEDIUM 6.5

Tags

Gitlab Denial Of Service

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when handling certain CI-related inputs.

Analysis

GitLab CE/EE contains a denial of service vulnerability in CI-related input handling that allows authenticated users to consume excessive server resources, potentially rendering the service unavailable. Versions 13.7 through 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 are affected across all GitLab installations. A publicly available proof-of-concept exists from HackerOne (report 3418149), though CISA has not flagged this for active exploitation in the wild, and the SSVC framework indicates no evidence of current weaponization despite automatable characteristics being unavailable.

Technical Context

The vulnerability stems from CWE-770 (Allocation of Resources Without Limits or Throttling), a resource exhaustion weakness affecting GitLab's CI pipeline processing logic. The affected product is identified via CPE (cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*), indicating all GitLab installations regardless of deployment model are potentially vulnerable. The root cause lies in insufficient input validation and resource limits when processing certain CI configuration inputs, allowing an authenticated attacker to craft malicious CI job definitions or pipeline configurations that trigger unbounded resource allocation. This affects the GitLab CI/CD execution engine across multiple major version branches, suggesting the flaw exists in core pipeline parsing or scheduling logic rather than isolated feature components.

Affected Products

GitLab Community Edition and Enterprise Edition are affected across multiple version branches. Specifically, GitLab versions 13.7 through versions prior to 18.8.7, GitLab 18.9 prior to 18.9.3, and GitLab 18.10 prior to 18.10.1 are vulnerable, as confirmed by ENISA EUVD-2025-208993 and the official GitLab patch release advisory. The vulnerability impacts the CPE string cpe:2.3:a:gitlab:gitlab covering all affected installations. Patch releases are documented in the GitLab official advisory at https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/, with corresponding maintenance released for all affected version branches.

Remediation

Immediately upgrade to patched versions: GitLab 18.8.7 or later, GitLab 18.9.3 or later, or GitLab 18.10.1 or later depending on your current branch. Consult https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/ for exact upgrade procedures and release notes. As an interim control pending patching, implement CI job resource quotas at the runner and project level using GitLab's pipeline resource limits configuration to prevent unbounded resource consumption; restrict CI pipeline creation permissions to trusted users only; and monitor CI runner resource consumption for anomalous spikes that may indicate exploitation attempts. For organizations on unsupported version branches prior to 13.7, upgrade is mandatory as no patches are available.

Priority Score

53
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +32
POC: +20

Share

EUVD-2025-208993 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy