GitLab CVE-2025-10004: Brief Summary of GraphQL Denial of Service Vulnerability

This post provides a brief summary of CVE-2025-10004, a denial of service vulnerability in GitLab CE and EE affecting versions 13.12 to 18.2.8, 18.3 to 18.3.4, and 18.4 to 18.4.2. The flaw involves crafted GraphQL queries that can make GitLab instances unresponsive. Patch and version details are included.
CVE Analysis

9 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-09

GitLab CVE-2025-10004: Brief Summary of GraphQL Denial of Service Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction - Engaging opening that highlights real impact and significance

A single unauthenticated request can render a GitLab instance unresponsive, disrupting development pipelines and collaboration for organizations relying on this platform. CVE-2025-10004 demonstrates how a flaw in API resource controls can translate into a denial of service condition affecting a broad range of GitLab deployments.

GitLab is a leading DevSecOps platform used by organizations worldwide for source code management, continuous integration, and collaborative software development. With millions of users and widespread adoption across industries, vulnerabilities in GitLab have significant operational impact.

Technical Information

CVE-2025-10004 is a denial of service vulnerability in GitLab CE and EE, rooted in the GraphQL API's handling of blob type queries. The vulnerability allows remote, unauthenticated attackers to send specially crafted GraphQL queries that request large repository blobs. Due to insufficient resource allocation limits and lack of throttling in the affected versions, the server processes these oversized blob requests, consuming excessive memory and CPU resources. This can lead to severe performance degradation or complete unavailability of the GitLab instance. The vulnerability is classified under CWE-770: Allocation of Resources Without Limits or Throttling. The attack does not require authentication and can be performed over the network. The root cause is the absence of proper validation and restriction on the size of blobs and the complexity of GraphQL queries, allowing attackers to exhaust server resources by repeatedly requesting large objects. The issue was responsibly disclosed via HackerOne and acknowledged by GitLab in their October 2025 security advisory.

Affected Systems and Versions (MUST BE SPECIFIC)

CVE-2025-10004 affects the following GitLab versions:

  • GitLab CE/EE from 13.12 up to and including 18.2.8
  • GitLab CE/EE from 18.3 up to and including 18.3.4
  • GitLab CE/EE from 18.4 up to and including 18.4.2

All configurations of these versions are vulnerable if the GraphQL API is exposed. The vulnerability impacts both self-managed and enterprise deployments.

Vendor Security History (only if specific information available)

GitLab has a history of critical vulnerabilities, including previous issues in GraphQL and webhook endpoints. The October 2025 patch release addressed multiple high and medium severity vulnerabilities, such as CVE-2025-11340 (incorrect authorization in GraphQL mutations) and CVE-2025-2934 (denial of service in webhook endpoints). GitLab typically responds quickly to critical reports, leveraging its HackerOne bug bounty program and coordinated disclosure process. The recurrence of API-related vulnerabilities highlights ongoing challenges in securing complex, API-driven platforms.

References

Detect & fix
what others miss