CVE-2025-11447 Overview
CVE-2025-11447 is a high-severity denial of service vulnerability affecting GitLab Community Edition (CE) and Enterprise Edition (EE). The vulnerability exists in the GraphQL API endpoint and allows an unauthenticated attacker to cause a denial of service condition by sending GraphQL requests with specially crafted JSON payloads.
This vulnerability represents a significant risk to GitLab installations as it requires no authentication to exploit and can directly impact the availability of the entire platform. Organizations relying on GitLab for source code management and CI/CD pipelines could experience service disruptions affecting development workflows.
Critical Impact
Unauthenticated attackers can disrupt GitLab services through crafted GraphQL requests, potentially causing widespread denial of service affecting all users of the platform.
Affected Products
- GitLab Community Edition (CE) versions 11.0 before 18.3.5
- GitLab Enterprise Edition (EE) versions 11.0 before 18.3.5
- GitLab CE/EE versions 18.4 before 18.4.3
- GitLab CE/EE version 18.5.0 (prior to 18.5.1)
Discovery Timeline
- 2025-10-22 - GitLab releases security patch (versions 18.5.1, 18.4.3, 18.3.5)
- 2025-10-27 - CVE-2025-11447 published to NVD
- 2025-10-27 - Last updated in NVD database
Technical Details for CVE-2025-11447
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The flaw resides in GitLab's GraphQL API implementation, where insufficient input validation allows maliciously crafted JSON payloads to consume excessive server resources. The attack can be executed remotely over the network without requiring any form of authentication, making it particularly dangerous for internet-facing GitLab instances.
The vulnerability enables an attacker to craft specific JSON payloads that, when processed by the GraphQL endpoint, cause resource exhaustion on the server. This can result in degraded performance or complete service unavailability for legitimate users attempting to access the GitLab platform.
Root Cause
The root cause of CVE-2025-11447 lies in the improper allocation of resources when processing GraphQL requests. The GitLab GraphQL implementation fails to adequately limit or throttle the resources allocated when parsing and processing certain JSON payload structures. This allows attackers to submit requests that trigger resource-intensive operations without proper bounds checking.
The vulnerability specifically affects how the GraphQL API handles complex or deeply nested JSON structures, enabling attackers to craft payloads that exploit this parsing behavior to exhaust server memory or CPU resources.
Attack Vector
The attack is network-based and requires no user interaction or authentication. An attacker can target any publicly accessible GitLab instance by sending malicious GraphQL queries to the /api/graphql endpoint. The crafted JSON payloads exploit the resource allocation weakness, causing the server to consume excessive resources while processing the request.
The attack scenario involves:
- Identifying a vulnerable GitLab instance (versions 11.0 through affected versions)
- Crafting malicious JSON payloads designed to trigger resource exhaustion
- Sending repeated GraphQL requests to the target endpoint
- Causing service degradation or complete denial of service
Since no authentication is required, the attack surface includes any GitLab instance with the GraphQL API accessible from the network. For additional technical details, refer to the HackerOne Security Report and the GitLab Issue Tracker.
Detection Methods for CVE-2025-11447
Indicators of Compromise
- Unusual spike in requests to the /api/graphql endpoint from single or multiple IP addresses
- Abnormally large JSON payloads in GraphQL request bodies
- Elevated server resource consumption (CPU, memory) correlated with GraphQL API activity
- Repeated failed or slow responses from the GraphQL endpoint
- Web server logs showing numerous requests with complex nested JSON structures
Detection Strategies
- Monitor GraphQL API endpoint access patterns for anomalous request volumes or payload sizes
- Implement rate limiting alerts on the /api/graphql endpoint to detect potential abuse
- Deploy web application firewall (WAF) rules to inspect and flag suspicious JSON payload structures
- Configure application performance monitoring to alert on sudden resource consumption spikes
Monitoring Recommendations
- Enable detailed logging for GraphQL API requests including payload sizes and processing times
- Set up real-time alerting for abnormal patterns in GitLab web server and application logs
- Monitor server metrics (CPU, memory, response times) for correlation with GraphQL endpoint activity
- Review network traffic for repeated requests from suspicious source addresses targeting the API
How to Mitigate CVE-2025-11447
Immediate Actions Required
- Upgrade GitLab CE/EE to version 18.5.1, 18.4.3, or 18.3.5 immediately
- Implement rate limiting on the /api/graphql endpoint if patching cannot be performed immediately
- Consider restricting GraphQL API access to authenticated users only as a temporary measure
- Monitor server resources and GraphQL endpoint logs for signs of exploitation attempts
Patch Information
GitLab has released patched versions addressing this vulnerability. Organizations should upgrade to one of the following versions based on their current deployment:
- For 18.5.x deployments: Upgrade to 18.5.1
- For 18.4.x deployments: Upgrade to 18.4.3
- For versions 11.0 through 18.3.x: Upgrade to 18.3.5
Detailed patch information is available in the GitLab Patch Release Announcement.
Workarounds
- Deploy a reverse proxy or web application firewall to filter and rate-limit requests to /api/graphql
- Implement network-level access controls to restrict GraphQL API access to trusted IP ranges
- Disable GraphQL API if not required for your organization's workflows (may impact some GitLab features)
- Monitor and automatically block IP addresses showing signs of abuse against the API endpoint
# Example nginx rate limiting configuration for GitLab GraphQL endpoint
# Add to your nginx configuration
# Define rate limiting zone (10 requests per second per IP)
limit_req_zone $binary_remote_addr zone=graphql_limit:10m rate=10r/s;
# Apply to GraphQL location block
location /api/graphql {
limit_req zone=graphql_limit burst=20 nodelay;
limit_req_status 429;
# Existing proxy configuration
proxy_pass http://gitlab-workhorse;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
