CVE-2025-10004: GitLab GraphQL DoS Vulnerability

CVE-2025-10004 Overview

CVE-2025-10004 is a denial of service vulnerability affecting GitLab Community Edition (CE) and Enterprise Edition (EE). The flaw allows an unauthenticated attacker to make a GitLab instance unresponsive or severely degraded by sending crafted GraphQL queries that request large repository blobs. The issue affects all versions from 13.12 up to 18.2.8, 18.3 through 18.3.4, and 18.4 through 18.4.2. GitLab released a patch on October 8, 2025 to address the resource exhaustion condition, which is tracked under [CWE-770] (Allocation of Resources Without Limits or Throttling).

Critical Impact

Remote, unauthenticated attackers can degrade or disable GitLab services by issuing crafted GraphQL queries against large repository blobs, disrupting development and CI/CD workflows.

Affected Products

• GitLab CE/EE versions 13.12 through 18.2.8
• GitLab CE/EE versions 18.3 through 18.3.4
• GitLab CE/EE versions 18.4 through 18.4.2

Discovery Timeline

• 2025-10-08 - GitLab releases patch version 18.4.2 addressing the issue
• 2025-10-09 - CVE-2025-10004 published to NVD
• 2025-10-20 - Last updated in NVD database

Technical Details for CVE-2025-10004

Vulnerability Analysis

The vulnerability resides in GitLab's GraphQL API, which exposes endpoints that can return repository blob contents. The implementation does not adequately limit the size or volume of blob data returned in a single query. An attacker can craft a GraphQL request that asks the server to load and serialize very large repository blobs, consuming excessive memory, CPU, and I/O on the GitLab Rails application and dependent services.

Because GraphQL allows clients to compose complex queries across multiple fields and aliases in a single request, a single malicious query can multiply the resource cost. When the targeted repository contains large files, the server attempts to materialize that data in memory before responding. This causes workers to stall, response latency to spike, and the instance to become unresponsive to legitimate users.

Root Cause

The root cause is the absence of effective resource limits on GraphQL queries that retrieve repository blob content [CWE-770]. The GraphQL resolver did not enforce sufficient bounds on blob size, query complexity, or per-request resource allocation, allowing a single request to disproportionately consume backend capacity.

Attack Vector

The attack is delivered over the network against the GitLab GraphQL endpoint. The advisory does not require privileges or user interaction for the impact described, so any actor able to reach the GraphQL API can attempt exploitation. The result is availability loss only, with no impact on confidentiality or integrity.

No public proof-of-concept exploit has been published. Technical context for the issue is available in the GitLab Issue #568121 and the HackerOne Report #3026555.

Detection Methods for CVE-2025-10004

Indicators of Compromise

• Sudden, sustained spikes in memory and CPU usage on GitLab Rails (puma) and Sidekiq workers without a corresponding increase in legitimate user activity.
• Repeated POST requests to the /api/graphql endpoint from a single client or small set of IPs, especially those referencing blob, blobs, or rawBlob fields on Repository types.
• Elevated 5xx error rates, request timeouts, and worker restarts in GitLab production logs around the time of the suspicious GraphQL traffic.

Detection Strategies

• Parse GitLab production_json.log and api_json.log for GraphQL operations and flag queries that request blob content with unusually large file paths or high query complexity scores.
• Apply rate-limit monitoring on the /api/graphql endpoint and alert when a single source exceeds normal baselines for query volume or response latency.
• Correlate GraphQL request bursts with host-level resource saturation metrics to identify likely exploitation attempts versus organic load.

Monitoring Recommendations

• Forward GitLab application logs, NGINX access logs, and host metrics to a centralized analytics platform and build dashboards for GraphQL endpoint behavior.
• Track per-source query rates, average response sizes, and worker memory consumption to establish baselines and detect deviation.
• Enable alerting on availability indicators such as health-check failures, request queue depth, and Sidekiq job backlog.

How to Mitigate CVE-2025-10004

Immediate Actions Required

• Upgrade GitLab CE/EE to version 18.4.2, 18.3.5, or 18.2.9 (or later) as soon as possible, per the vendor advisory.
• Restrict network access to the GitLab GraphQL endpoint from untrusted sources where feasible until the upgrade is complete.
• Review recent GraphQL traffic for signs of exploitation and identify any source IPs that should be blocked at the edge.

Patch Information

GitLab addressed the vulnerability in the October 8, 2025 patch release. See the GitLab Patch Release Notes for upgrade instructions and the full list of fixed versions. Self-managed administrators should plan upgrades on both primary and Geo secondary nodes. GitLab.com and Dedicated tenants are patched by GitLab.

Workarounds

• Place a reverse proxy or web application firewall in front of GitLab and apply aggressive rate limiting to the /api/graphql path.
• Require authentication for GraphQL access by limiting anonymous traffic at the network or application layer where business requirements allow.
• Monitor and proactively terminate long-running GraphQL requests at the proxy layer until patching is complete.

# Example NGINX rate limit for the GraphQL endpoint
http {
    limit_req_zone $binary_remote_addr zone=graphql_zone:10m rate=10r/m;

    server {
        location = /api/graphql {
            limit_req zone=graphql_zone burst=5 nodelay;
            proxy_read_timeout 30s;
            proxy_pass http://gitlab_upstream;
        }
    }
}