How ZeroPath Works
Back to Blog

GitLab GraphQL DoS (CVE-2025-8014): Brief Summary and Patch Information

This post provides a brief summary of CVE-2025-8014, a high-severity denial of service vulnerability in GitLab EE/CE GraphQL endpoints. The issue allows unauthenticated attackers to bypass query complexity limits, potentially leading to resource exhaustion and service disruption. Includes affected versions and official patch details.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-27

GitLab GraphQL DoS (CVE-2025-8014): Brief Summary and Patch Information
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A single unauthenticated request can render a GitLab instance unresponsive if it exploits the right flaw. CVE-2025-8014 is a high-severity denial of service vulnerability in GitLab's GraphQL endpoints that allows attackers to bypass query complexity limits, leading to resource exhaustion and service disruption. This issue affects a wide range of GitLab Community and Enterprise Edition deployments, making it a significant concern for organizations relying on GitLab for their software development lifecycle.

GitLab is a widely adopted DevOps platform used by millions of developers and organizations globally. Its Community and Enterprise Editions are central to CI/CD, code management, and collaboration for teams of all sizes.

Technical Information

CVE-2025-8014 arises from a flaw in GitLab's GraphQL implementation. The vulnerability allows unauthenticated users to bypass query complexity limits that are intended to prevent resource exhaustion. By crafting specific GraphQL queries, an attacker can evade the built-in complexity analysis, causing the backend to process highly expensive operations without triggering the intended safeguards. This can result in excessive CPU and memory consumption, leading to denial of service conditions for legitimate users.

The vulnerability is present in all GitLab EE/CE versions from 11.10 up to but not including 18.2.7, 18.3.3, and 18.4.1. The root cause is insufficient enforcement of query complexity thresholds in the GraphQL API, which allows certain queries to slip past the intended checks. No authentication is required to exploit this issue, increasing its risk profile.

No public code snippets or exploit examples are available at this time.

Patch Information

The vulnerability is fixed in the following GitLab versions:

  • 18.4.1
  • 18.3.3
  • 18.2.7

The patch strengthens the enforcement of query complexity thresholds in the GraphQL API, ensuring that resource-intensive queries are properly managed. Organizations running affected versions should upgrade to one of these releases immediately. The official patch release also addresses several other critical vulnerabilities, including XSS, privilege escalation, and additional DoS vectors. Full details are available in the official advisory:

Affected Systems and Versions

  • GitLab Community Edition (CE) and Enterprise Edition (EE)
  • Versions from 11.10 up to but not including 18.2.7, 18.3.3, and 18.4.1
  • All configurations exposing GraphQL endpoints are vulnerable

Vendor Security History

GitLab has a history of addressing critical vulnerabilities through coordinated patch releases. Recent advisories have included fixes for cross-site scripting, privilege escalation, and multiple denial of service issues. The vendor maintains an active bug bounty program and typically responds quickly to reported vulnerabilities, as demonstrated by the rapid release of patches for CVE-2025-8014.

References

Detect & fix
what others miss

Get startedBook a demo