CVE-2025-11447
BaseFortify
Publication date: 2025-10-27
Last updated on: 2025-10-27
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitlab | gitlab | From 11.0.0 (inc) to 18.3.5 (exc) |
| gitlab | gitlab | From 11.0.0 (inc) to 18.3.5 (exc) |
| gitlab | gitlab | From 18.4.0 (inc) to 18.4.3 (exc) |
| gitlab | gitlab | From 18.4.0 (inc) to 18.4.3 (exc) |
| gitlab | gitlab | 18.5.0 |
| gitlab | gitlab | 18.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in GitLab CE/EE versions before 18.3.5, 18.4.3, and 18.5.1 allows an unauthenticated attacker to cause a denial of service (DoS) by sending specially crafted GraphQL requests with malicious JSON payloads.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an attacker to disrupt the availability of your GitLab service, causing a denial of service condition without needing authentication.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update GitLab CE/EE to version 18.3.5 or later if you are using 18.3, to 18.4.3 or later if you are using 18.4, or to 18.5.1 or later if you are using 18.5. These updates contain the fix for the denial of service issue caused by crafted GraphQL JSON payloads.