ZeroPath at Black Hat USA 2026

Brief Summary: GitLab CE/EE CVE-2025-14870 Unauthenticated DoS in Duo Workflows API

A short review of CVE-2025-14870, a high severity unauthenticated Denial of Service vulnerability in GitLab's Duo Workflows API caused by insufficient JSON input validation. Includes patch details and affected version ranges.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-13

Brief Summary: GitLab CE/EE CVE-2025-14870 Unauthenticated DoS in Duo Workflows API
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A recently patched input validation flaw in GitLab's Duo Workflows API allows any unauthenticated remote attacker to force unbounded resource allocation on the server, resulting in a complete Denial of Service condition. With a CVSS 3.1 score of 7.5 and zero authentication requirements, this vulnerability represents a meaningful risk to every internet facing, self managed GitLab instance running versions 18.5 through the latest unpatched releases.

Technical Information

Root Cause: Unbounded Resource Allocation (CWE-770)

The vulnerability is rooted in the Duo Workflows API, a feature first introduced in GitLab version 18.5. The core issue is that the API endpoint accepts incoming JSON payloads without performing adequate validation on their size or structure. This maps directly to CWE-770: Allocation of Resources Without Limits or Throttling.

When a request arrives at the Duo Workflows API, the server parses and processes the JSON body. Because no bounds checking or resource consumption limits existed prior to the patch, an attacker could craft a JSON payload designed to force the server into allocating excessive memory or CPU resources. The result is service degradation or a complete denial of service for all users of the GitLab instance.

CVSS Breakdown

The full CVSS 3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, which breaks down as follows:

  • Attack Vector (Network): The vulnerability is exploitable remotely over the internet.
  • Attack Complexity (Low): No advanced exploitation techniques or specific timing conditions are required.
  • Privileges Required (None): The attacker does not need an account or any level of authentication to trigger the exploit.
  • User Interaction (None): The exploit can be executed entirely without the involvement of a legitimate user.
  • Scope (Unchanged): The impact is confined to the vulnerable component itself.
  • Confidentiality / Integrity (None): No data is leaked or modified.
  • Availability (High): The availability of the GitLab service can be completely compromised.

Attack Flow

Based on the available advisory information, the exploitation path follows a straightforward sequence:

  1. The attacker identifies a GitLab instance exposed to the network (no authentication or reconnaissance of user accounts is needed).
  2. The attacker crafts a specially structured JSON payload designed to trigger excessive resource allocation when parsed by the Duo Workflows API endpoint.
  3. The attacker sends this payload to the Duo Workflows API. Because the endpoint does not require authentication, the request is accepted and processed.
  4. The server begins allocating memory or processing resources in response to the malicious payload. Without any cap or throttle, this allocation continues until the server's resources are exhausted.
  5. The GitLab instance becomes unresponsive or crashes, denying service to all legitimate users.

The specific endpoint paths and proof of concept payloads remain undisclosed. The associated HackerOne report (#3446641) and GitLab work item (#584490) are both currently restricted from public view. Per GitLab's standard disclosure policy, the issue details will be made public on their issue tracker 30 days after the patch release.

Patch Information

GitLab addressed CVE-2025-14870 in a coordinated patch release published on May 13, 2026, shipping three fixed versions across supported release branches: 18.11.3, 18.10.6, and 18.9.7.

The core of the fix involves introducing proper input validation and resource consumption limits on the Duo Workflows API endpoint. Before the patch, specially crafted JSON payloads sent to this API could force the server to allocate memory or processing resources without any cap, leading to service degradation or outright denial of service. The remediation adds bounds checking and validation logic so that oversized or maliciously structured JSON bodies are rejected before they can trigger excessive resource consumption.

The vulnerability was introduced in GitLab version 18.5, the release that first shipped the Duo Workflows API, and affected all subsequent versions up to (but not including) the patched releases. The three fixed versions map to the three currently supported GitLab release trains:

Release BranchVulnerable VersionsFixed Version
18.11.x18.11.0 through 18.11.218.11.3
18.10.x18.10.0 through 18.10.518.10.6
18.9.x and older18.5.0 through 18.9.618.9.7

The specific code changes are not publicly visible at this time: the associated GitLab work item remains private, and the HackerOne report is also restricted.

GitLab.com was already updated to the patched version at the time of disclosure, and GitLab Dedicated customers required no action. Self managed installations should upgrade to one of the three fixed versions immediately. The vulnerability was originally reported by security researcher a92847865 through GitLab's HackerOne bug bounty program.

Affected Systems and Versions

The vulnerability affects GitLab Community Edition (CE) and Enterprise Edition (EE) across the following version ranges:

  • All versions from 18.5.0 up to (but not including) 18.9.7
  • All versions from 18.10.0 up to (but not including) 18.10.6
  • All versions from 18.11.0 up to (but not including) 18.11.3

The vulnerable component is the Duo Workflows API, which was first introduced in version 18.5. Any GitLab instance (self managed) running a version within these ranges and exposing the Duo Workflows API to network traffic is affected. GitLab.com (SaaS) and GitLab Dedicated instances have already been patched by GitLab and require no customer action.

Vendor Security History

GitLab maintains a public bug bounty program through HackerOne, operational since 2018. The vendor uses a public CVSS calculator to determine bounty payouts, which reach up to $1000 for critical and high severity reports upon triage. While general DoS attacks are typically out of scope for GitLab's bug bounty program, the vendor explicitly makes exceptions for application layer DoS vulnerabilities that achieve persistent total service disruption and can be executed through unauthenticated endpoints. The acceptance and remediation of CVE-2025-14870 aligns with this updated policy, reflecting GitLab's willingness to address high impact availability threats even when they fall into a category many bounty programs exclude.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization