Introduction
Development teams relying on GitLab for source code management and CI/CD could face total service disruption from a single network-based attack. CVE-2025-2256 allows any external actor to send multiple large SAML responses, making affected GitLab instances unresponsive to all legitimate users.
About GitLab: GitLab is a widely adopted DevSecOps platform with millions of users worldwide. It powers source code management, CI/CD, and project collaboration for organizations of all sizes. Both Community Edition (CE) and Enterprise Edition (EE) are used across industries, making vulnerabilities in GitLab highly impactful for the global technology ecosystem.
Technical Information
CVE-2025-2256 is a denial of service vulnerability in the SAML authentication flow of GitLab CE and EE. The vulnerability is rooted in improper validation of the size and concurrency of SAML responses (CWE-1284: Improper Validation of Specified Quantity in Input).
Mechanism:
- An attacker sends multiple concurrent SAML authentication requests with excessively large SAML responses to the GitLab SAML endpoint.
- GitLab fails to properly validate or limit the size and number of these incoming SAML responses.
- The authentication subsystem becomes overwhelmed, consuming excessive CPU and memory resources.
- This leads to resource exhaustion, causing the instance to become unresponsive to all users.
Key technical points:
- No authentication is required to exploit this issue.
- The attack can be launched remotely against any GitLab instance with SAML authentication enabled.
- The vulnerability affects both Community and Enterprise Editions.
- Discovered and responsibly disclosed by yuki_osaki via HackerOne.
Affected Systems and Versions
- GitLab Community Edition (CE) and Enterprise Edition (EE)
- All versions from 7.12 before 18.1.6
- 18.2 before 18.2.6
- 18.3 before 18.3.2
- Any deployment with SAML authentication enabled is vulnerable
Vendor Security History
GitLab has previously patched critical vulnerabilities in authentication, including SAML-related flaws (e.g., CVE-2024-45409, CVE-2025-25291, CVE-2025-25292). The vendor maintains a monthly release cycle and a public bug bounty program. Their response to critical vulnerabilities is typically prompt, with coordinated advisories and patches across supported versions.
