Introduction - Engaging opening that highlights real impact and significance
A single unauthenticated request can render a GitLab instance unresponsive, disrupting development pipelines and collaboration for organizations relying on this platform. CVE-2025-10004 demonstrates how a flaw in API resource controls can translate into a denial of service condition affecting a broad range of GitLab deployments.
GitLab is a leading DevSecOps platform used by organizations worldwide for source code management, continuous integration, and collaborative software development. With millions of users and widespread adoption across industries, vulnerabilities in GitLab have significant operational impact.
Technical Information
CVE-2025-10004 is a denial of service vulnerability in GitLab CE and EE, rooted in the GraphQL API's handling of blob type queries. The vulnerability allows remote, unauthenticated attackers to send specially crafted GraphQL queries that request large repository blobs. Due to insufficient resource allocation limits and lack of throttling in the affected versions, the server processes these oversized blob requests, consuming excessive memory and CPU resources. This can lead to severe performance degradation or complete unavailability of the GitLab instance. The vulnerability is classified under CWE-770: Allocation of Resources Without Limits or Throttling. The attack does not require authentication and can be performed over the network. The root cause is the absence of proper validation and restriction on the size of blobs and the complexity of GraphQL queries, allowing attackers to exhaust server resources by repeatedly requesting large objects. The issue was responsibly disclosed via HackerOne and acknowledged by GitLab in their October 2025 security advisory.
Affected Systems and Versions (MUST BE SPECIFIC)
CVE-2025-10004 affects the following GitLab versions:
- GitLab CE/EE from 13.12 up to and including 18.2.8
- GitLab CE/EE from 18.3 up to and including 18.3.4
- GitLab CE/EE from 18.4 up to and including 18.4.2
All configurations of these versions are vulnerable if the GraphQL API is exposed. The vulnerability impacts both self-managed and enterprise deployments.
Vendor Security History (only if specific information available)
GitLab has a history of critical vulnerabilities, including previous issues in GraphQL and webhook endpoints. The October 2025 patch release addressed multiple high and medium severity vulnerabilities, such as CVE-2025-11340 (incorrect authorization in GraphQL mutations) and CVE-2025-2934 (denial of service in webhook endpoints). GitLab typically responds quickly to critical reports, leveraging its HackerOne bug bounty program and coordinated disclosure process. The recurrence of API-related vulnerabilities highlights ongoing challenges in securing complex, API-driven platforms.
