High

Denial of Service in GitLab GraphQL API

IdentifiersCVE-2025-12664CWE-1284· Improper Validation of Specified…

CVE-2025-12664 is a denial-of-service vulnerability in the GitLab CE/EE GraphQL API affecting self-managed installations. It impacts all versions from 13.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3. The issue stems from improper validation of the quantity of unauthenticated GraphQL requests to the /api/graphql endpoint, classified as CWE-1284. An attacker can repeatedly send GraphQL queries over HTTP without authentication and overwhelm backend resources. Available reporting indicates the flaw is volumetric in nature rather than a single-query complexity issue; existing GraphQL complexity scoring and per-request timeout controls did not prevent exploitation. Successful abuse can consume CPU, memory, and Sidekiq worker capacity, degrading or interrupting service.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated remote attacker to cause a high-impact availability failure on vulnerable self-managed GitLab instances. Repeated GraphQL requests can exhaust CPU, memory, and Sidekiq worker resources, create severe latency for legitimate users, cause requests to fail after timeout, fill backend job queues, and in extreme cases trigger out-of-memory conditions that take the instance offline. The available information indicates no direct confidentiality or integrity impact.

Mitigation

If you can’t patch tonight, do this now.

As a defense-in-depth measure, enable and tune User and IP rate limits for GitLab, which GitLab notes are disabled by default. Restrict public exposure of self-managed GitLab instances where feasible, especially access to the /api/graphql endpoint from untrusted networks. Upstream filtering, reverse-proxy rate limiting, WAF throttling, and network ACLs can reduce exploitability until patching is completed, but these measures are mitigations only and do not replace upgrading to a fixed version.

Remediation

Patch, then assume compromise.

Upgrade self-managed GitLab CE/EE instances to a fixed release: 18.10.3, 18.9.5, or 18.8.9 or later, depending on the supported upgrade path. GitLab states these releases contain the fix that adds controls to validate and constrain the quantity of GraphQL queries that an unauthenticated user can issue. GitLab.com and GitLab Dedicated were already patched at disclosure. GitLab also noted that versions 18.10.2, 18.9.4, and 18.8.8 were skipped and no packages exist for those version numbers.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GitLabGitlabapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app

thecyberexpress com vulnerabilitiesNews

Apr 10, 2026

GitLab Security Update Fixes CVE-2026-5173 Flaw

A denial-of-service vulnerability in GitLab's GraphQL API that can be triggered through repeated queries.

cyber security newsNews

Apr 9, 2026

GitLab Patches Multiple Vulnerabilities That Enables DoS and Code Injection Attacks

A high-severity GitLab denial-of-service vulnerability that allows unauthenticated attackers to overwhelm the server with repeated GraphQL queries.

gitlab releasesNews

Apr 8, 2026

GitLab Patch Release: 18.10.3, 18.9.5, 18.8.9 | GitLab

A denial-of-service vulnerability in the GitLab CE/EE GraphQL API that could allow unauthenticated attackers to cause service disruption via repeated GraphQL queries.

zeropath blogNews

Apr 8, 2026

Brief Summary: GitLab GraphQL API Denial of Service via Repeated Unauthenticated Queries (CVE-2025-12664) - ZeroPath Blog | ZeroPath

An unauthenticated volumetric denial-of-service vulnerability in GitLab's GraphQL API caused by improper input quantity validation, allowing repeated GraphQL requests to exhaust resources on self-managed GitLab CE and EE instances.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7