Introduction
Service interruptions in source code management platforms can halt entire engineering teams and delay critical deployments. In October 2025, a denial of service vulnerability in GitLab's GraphQL API (CVE-2025-11447) was disclosed and patched, impacting a wide range of GitLab Community and Enterprise Edition versions. GitLab is a leading DevSecOps platform used by organizations worldwide for source code management, CI/CD, and collaboration. Its user base spans startups, enterprises, and open source projects, making vulnerabilities in its core services highly significant for the global tech ecosystem.
Technical Information
CVE-2025-11447 is a denial of service vulnerability in GitLab's GraphQL API. The flaw exists in the JSON validation logic that processes incoming GraphQL requests. Specifically, all GitLab CE/EE versions from 11.0 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 are affected. The vulnerability allows an unauthenticated attacker to send specially crafted JSON payloads to the GraphQL endpoint, triggering excessive resource consumption and causing the GitLab instance to become unresponsive.
The root cause is the lack of proper resource allocation limits or throttling in the JSON validation routines. When a maliciously structured JSON payload is submitted, the validation logic attempts to process it without sufficient checks on size, nesting, or complexity. This leads to uncontrolled CPU and memory usage, resulting in a denial of service condition. The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling).
No public code snippets for the vulnerable implementation have been released. The attack does not require authentication, and the GraphQL endpoint is typically accessible over the network, making exploitation straightforward for remote attackers.
Patch Information
In the GitLab 18.5.1 release, several critical security vulnerabilities were addressed to enhance the platform's resilience against potential threats.
Denial of Service in JSON Validation (CVE-2025-11447): A vulnerability allowed unauthenticated users to cause a DoS condition by sending GraphQL requests with crafted JSON payloads. The patch introduced stricter JSON schema validation within the GraphQL API, ensuring that incoming requests adhere to expected structures and data types. This enhancement effectively blocks malformed requests from impacting system availability.
Users are strongly encouraged to upgrade to version 18.5.1 to benefit from these security enhancements.
Patch reference: GitLab 18.5.1 Security Release
Affected Systems and Versions
- GitLab Community Edition (CE) and Enterprise Edition (EE) versions 11.0 before 18.3.5
- Versions 18.4 before 18.4.3
- Versions 18.5 before 18.5.1
All deployment configurations of these versions are affected if the GraphQL API is exposed.
Vendor Security History
GitLab has previously addressed similar denial of service vulnerabilities in its API and GraphQL implementations. For example, CVE-2025-10004 targeted the GraphQL blob type, and CVE-2025-10497 affected event collection. The vendor maintains a regular security patch cadence and operates a public bug bounty program, with most critical vulnerabilities being patched within scheduled release cycles. GitLab's response to CVE-2025-11447 followed its standard process, with coordinated disclosure and timely patch release.
