ZeroPath at Black Hat USA 2026

Brief Summary: GitLab CE/EE CVE-2025-14869 Unauthenticated Denial of Service via Improper Input Validation

A short review of CVE-2025-14869, a high severity unauthenticated denial of service vulnerability in GitLab CE/EE caused by improper validation of input quantities on certain API endpoints. Covers technical details, affected versions, and mitigation guidance.

CVE Analysis

4 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-13

Brief Summary: GitLab CE/EE CVE-2025-14869 Unauthenticated Denial of Service via Improper Input Validation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An unauthenticated denial of service vulnerability in GitLab's API layer means that any internet facing GitLab instance running an affected version can be disrupted by a remote attacker with no credentials. Tracked as CVE-2025-14869 with a CVSS score of 7.5, the flaw stems from improper validation of input quantities on certain API endpoints, allowing specially crafted payloads to exhaust system resources and degrade availability for legitimate users.

Technical Information

The root cause of CVE-2025-14869 falls under CWE-1284: Improper Validation of Specified Quantity in Input. This weakness class describes scenarios where an application fails to properly validate the size, count, or quantity of data supplied in user input. In the context of this GitLab vulnerability, certain API endpoints do not adequately constrain the magnitude or volume of incoming request payloads, enabling an attacker to submit inputs that consume disproportionate system resources.

The CVSS 3.1 vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Breaking this down: the attack is network accessible, requires low complexity, demands no privileges or user interaction, and results in high impact to availability with no effect on confidentiality or integrity. This profile makes the vulnerability particularly concerning because any network reachable GitLab instance with exposed API endpoints is a potential target, and exploitation requires no credentials whatsoever.

Attack Flow

Based on the available information, the exploitation path proceeds as follows:

  1. An attacker identifies a GitLab instance with API endpoints accessible over the network.
  2. The attacker crafts a payload that exploits the lack of input quantity validation on one or more of these endpoints.
  3. The specially crafted payload is submitted to the target API endpoint without any authentication.
  4. The GitLab application processes the oversized or malformed input, consuming excessive CPU, memory, or other system resources.
  5. The resource exhaustion degrades or completely disrupts service availability for legitimate users.

The specific API endpoints affected and the exact structure of the malicious payloads have not been publicly disclosed. This is consistent with responsible disclosure practices, as revealing these details before widespread patching would lower the barrier for exploitation. However, the CWE classification strongly suggests the issue involves unbounded or insufficiently bounded numeric parameters (such as page sizes, batch counts, or similar quantity fields) that the application processes without adequate limits.

Affected Systems and Versions

The vulnerability impacts multiple version tracks of both GitLab Community Edition (CE) and Enterprise Edition (EE):

ProductAffected Version RangeFixed Version
GitLab CE/EE18.5 through versions before 18.9.718.9.7
GitLab CE/EE18.10 through versions before 18.10.618.10.6
GitLab CE/EE18.11 through versions before 18.11.318.11.3

GitLab SaaS environments are already running the patched version and are not affected. Self managed installations running any version within the affected ranges should be considered vulnerable, particularly if their API endpoints are reachable from untrusted networks.

Vendor Security History

GitLab maintains a well established vulnerability disclosure and remediation process, consistently releasing patches across multiple supported version tracks simultaneously. The company operates a public bug bounty program through HackerOne, actively engaging the external security research community to surface vulnerabilities before they can be exploited. CVE-2025-14869 was reported by a researcher using the handle a92847865 through this program. This coordinated model, combining internal security engineering with community driven research, is a meaningful part of GitLab's approach to securing a platform that underpins software development workflows for organizations of all sizes.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization