EUVD-2025-209549
GHSA-vhmr-xxmg-qhfg
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
7DescriptionNVD
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service under certain conditions by exhausting server resources by making crafted requests to a discussions endpoint.
AnalysisAI
Authenticated users can trigger denial of service in GitLab CE/EE versions 10.6 through 18.11.0 by sending crafted requests to the discussions endpoint that exhaust server resources. The vulnerability requires valid authentication credentials and affects all affected versions across the 10.6, 18.9, 18.10, and 18.11 release branches. Publicly available exploit code exists; CISA has not yet listed this in the Known Exploited Vulnerabilities catalog, but active exploitation likelihood is moderate given public POC availability and the low complexity of resource exhaustion attacks.
Technical ContextAI
The vulnerability resides in GitLab's discussions endpoint (API or web interface handler) and involves improper resource consumption controls, classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The affected product is GitLab Community Edition and Enterprise Edition, a DevOps platform written primarily in Ruby on Rails. The issue stems from insufficient request validation or rate-limiting on the discussions endpoint, allowing authenticated attackers to craft requests that consume excessive CPU, memory, or database resources without triggering protection mechanisms. This is a classic resource exhaustion vector where the endpoint fails to implement per-user or per-request quotas on computationally expensive operations.
RemediationAI
Upgrade immediately to GitLab 18.9.6, 18.10.4, or 18.11.1 depending on the current release branch. For users unable to patch immediately, implement network-level rate-limiting on the discussions endpoint using a reverse proxy (nginx, HAProxy) or GitLab's built-in API rate-limiting features, restricting requests per authenticated user per minute to values appropriate for legitimate discussion activity (e.g., 60-100 requests/minute/user). Monitor CPU and memory utilization on application servers, and consider enabling per-endpoint request timeouts to prevent long-running queries from exhausting resources. Additionally, review GitLab access controls to ensure that external collaborators and service accounts have appropriate permission scopes, reducing the number of authenticated users capable of triggering the endpoint. The patch is confirmed available per vendor advisory (https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/). Side effects of aggressive rate-limiting are rare for discussions workflows, but test in a staging environment to confirm legitimate users are not impacted by the chosen thresholds.
More from same product – last 7 days
Command injection in Prefect 3.6.18's GitHub integration allows authenticated users to execute arbitrary git commands th
Incorrect authorization enforcement in GitLab CE/EE permits a blocked Project Access Token to continue reading private p
Identity confusion in GitLab EE's Duo AI workflow runners lets an authenticated, low-privileged user cause specific Duo
Denial of service in GitLab CE/EE affects all versions from 17.1 through those prior to 18.10.7, 18.11.4, and 19.0.1, al
Unauthorized private project enumeration in GitLab CE/EE exposes confidential project metadata to unauthenticated networ
Share
External POC / Exploit Code
Leaving vuln.today