Introduction
A single crafted JSON file can render a GitLab instance unresponsive, disrupting development and deployment pipelines for entire organizations. CVE-2025-10858 highlights a critical denial of service risk in GitLab's file upload handling, affecting a wide range of versions and requiring no authentication for exploitation.
GitLab is a leading DevSecOps platform with millions of users globally, serving as the backbone for source code management, CI/CD, and collaborative software development. Its central role in modern development workflows means vulnerabilities like this have broad and immediate operational impact.
Technical Information
CVE-2025-10858 is a denial of service vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The issue exists in GitLab Community Edition and Enterprise Edition, specifically in the JSON file upload processing logic. Attackers can exploit this by uploading specially crafted JSON files that trigger excessive resource consumption during parsing. This can involve deeply nested objects, large arrays, or repetitive structures that cause the backend to allocate excessive memory or CPU cycles.
The vulnerability is notable because it does not require authentication. Any unauthenticated user with access to a vulnerable GitLab instance can submit a malicious JSON file through available upload interfaces. This can result in the GitLab service becoming unresponsive, effectively causing a denial of service for all users. The attack surface includes any endpoint or feature that allows JSON file uploads, making public-facing instances especially at risk.
No public code snippets or proof of concept details are available for this vulnerability. The root cause is GitLab's lack of sufficient resource allocation controls and input validation during JSON file processing.
Patch Information
The vulnerability is fixed in the following GitLab versions:
- 18.4.1
- 18.3.3
- 18.2.7
The patch introduces stricter validation and sanitization of JSON file uploads, ensuring that only properly formatted and safe JSON files are processed. Self-managed GitLab administrators should upgrade to one of these versions following the official upgrade paths. GitLab.com and GitLab Dedicated users are already protected.
Reference: GitLab 18.4.1 Patch Release
Affected Systems and Versions
- GitLab Community Edition (CE) and Enterprise Edition (EE)
- All versions before 18.2.7
- 18.3 before 18.3.3
- 18.4 before 18.4.1
Any configuration with JSON file upload capability is vulnerable if running one of the affected versions.
Vendor Security History
GitLab has previously addressed several denial of service and resource exhaustion vulnerabilities, including issues in diff processing, runner description fields, and artifact handling. The vendor maintains a regular patch schedule and has demonstrated quick response to critical vulnerabilities. GitLab operates a public bug bounty program and provides transparent security advisories.