GitLab GraphQL API High-Severity Vulnerabilities and DoS Risk
GitLab has addressed two high-severity vulnerabilities in its GraphQL API, impacting both Community Edition (CE) and Enterprise Edition (EE) deployments. One of the vulnerabilities, tracked as CVE-2025-10004, allows unauthenticated attackers to launch denial-of-service (DoS) attacks by sending specially crafted GraphQL queries that request large repository blobs. This exploit can exhaust server resources, leading to severe performance degradation or complete unavailability of GitLab services. The vulnerability affects GitLab versions prior to 18.4.2, 18.3.4, and 18.2.8, and administrators are urged to upgrade to these patched versions immediately. The flaw is particularly critical for public-facing GitLab instances, as it does not require authentication to exploit, increasing the risk of opportunistic attacks. The CVE-2025-10004 vulnerability received a CVSS v3.1 base score of 7.5, underscoring its high risk to organizations relying on GitLab for source control and CI/CD pipelines. In addition to CVE-2025-10004, GitLab also patched other high-severity issues in the same update cycle, including vulnerabilities related to GraphQL authorization and JSON file uploads, both of which could also result in DoS conditions. GitLab.com and GitLab Dedicated customers were not affected by these vulnerabilities, as those platforms were either already patched or architecturally isolated from the exposure. The company responded promptly by releasing security updates and providing guidance for self-managed instance administrators. The vulnerabilities could have enabled attackers to disrupt development workflows, potentially creating further security risks during periods of downtime. Security professionals are advised to prioritize patching and to review their exposure, especially for internet-accessible GitLab deployments. The incident highlights the importance of timely vulnerability management in DevOps environments, where service availability is critical. GitLab's swift response and transparent disclosure have been commended by the security community. Organizations are also encouraged to monitor for unusual activity and to implement additional controls to limit the impact of potential DoS attacks. The vulnerabilities were discovered and reported through responsible disclosure channels, enabling GitLab to coordinate a secure and effective patch release. This event serves as a reminder for all DevOps teams to maintain up-to-date software and to stay informed about security advisories affecting their toolchains. The technical details of the vulnerabilities emphasize the need for robust input validation and resource management in API design. GitLab's handling of the incident demonstrates best practices in vulnerability response and communication.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
GitLab releases fixes for two high-severity GraphQL API flaws
GitLab patched two high-severity vulnerabilities affecting the GraphQL API in both Community Edition and Enterprise Edition. One of the disclosed issues is CVE-2025-10004, a denial-of-service vulnerability.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
GitLab Fixes DoS, Code Injection, and Access Control Flaws in Self-Managed Instances
GitLab released security updates for Community Edition and Enterprise Edition in versions **18.10.3**, **18.9.5**, and **18.8.9**, patching multiple vulnerabilities that affect self-managed deployments and urging administrators to upgrade immediately. The fixes address high-severity issues including a websocket access control flaw, denial-of-service conditions, and unintended server-side command execution tied to vulnerabilities such as `CVE-2026-5173`, `CVE-2026-1092`, and `CVE-2025-12664`. The release also resolves medium- and low-severity weaknesses involving code injection, cross-site scripting, GraphQL-related denial of service, CSV import and export handling, authorization bypasses, and information disclosure affecting private projects, protected environments, and custom roles. GitLab said some affected code paths date back to versions as old as 11.3 and 12.10, while **GitLab.com** and **GitLab Dedicated** are already protected; the company added that the patches require no new migrations and can be applied to multi-node deployments without downtime, although Omnibus packages still restart services during updates.
Apr 24, 2026
GitLab Security Update Fixes Web IDE Token Theft and DoS Vulnerabilities
GitLab released security updates for *Community Edition (CE)* and *Enterprise Edition (EE)*, shipping patched versions **18.8.4**, **18.7.4**, and **18.6.6** for self-managed deployments (with GitLab.com already remediated). The most severe issue, **CVE-2025-7659** (CVSS **8.0**), was attributed to *incomplete validation* in the **Web IDE** that could allow an **unauthenticated** attacker to steal access tokens and use them to access **private repositories**. The same release also addressed multiple high-severity availability and client-side issues, including **CVE-2025-8099** (CVSS **7.5**) enabling **DoS** via repeated/complex **GraphQL** queries and **CVE-2026-0958** (CVSS **7.5**) enabling resource exhaustion by bypassing **JSON validation middleware** limits. Additional fixes included CPU-exhaustion vectors involving specially crafted **Markdown** processing (e.g., **CVE-2026-1456** and **CVE-2026-1458**) and an **XSS** issue in code flow functionality (**CVE-2025-14560**, CVSS **7.3**) that could enable malicious script execution in a victim’s browser session.
Mar 21, 2026
GitLab Patches XSS and API Denial-of-Service Vulnerabilities in CE/EE
GitLab released security updates for **GitLab Community Edition (CE)** and **Enterprise Edition (EE)**, shipping patched versions **18.9.2**, **18.8.6**, and **18.7.6** to address multiple vulnerabilities affecting self-managed deployments. The Canadian Centre for Cyber Security issued advisory **AV26-222** urging organizations to review GitLab’s upstream advisory and apply the updates for any instances running versions prior to those releases. The update fixes **15 security issues**, including a high-severity **XSS** vulnerability (**CVE-2026-1090**, CVSS 8.7) in Markdown placeholder processing when the relevant feature flag is enabled, which could allow an authenticated attacker to inject malicious JavaScript into a victim’s browser. GitLab also addressed several **denial-of-service** conditions, including issues impacting the **GraphQL API** (resource exhaustion via recursion), repository archive endpoints, and JSON payload validation in the protected branches API; additional fixes include webhook-related DoS risks (e.g., **CVE-2025-13690**, **CVE-2025-12576**) and a **CRLF sequence** handling issue (**CVE-2026-3848**).
Mar 27, 2026