CVE-2025-12571 Overview
CVE-2025-12571 is a denial of service vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). The flaw allows an unauthenticated remote attacker to crash or exhaust resources on a GitLab instance by sending specifically crafted requests containing malicious JSON payloads. The issue affects all versions from 17.10 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1. GitLab classifies the underlying weakness as improper control of resource consumption [CWE-770]. The vulnerability requires no authentication, no user interaction, and is exploitable over the network.
Critical Impact
Unauthenticated attackers can trigger a denial of service against GitLab CE/EE servers, disrupting source code hosting, CI/CD pipelines, and DevOps workflows for affected organizations.
Affected Products
- GitLab CE/EE versions 17.10 through 18.4.4
- GitLab CE/EE versions 18.5 through 18.5.2
- GitLab CE/EE versions 18.6.0
Discovery Timeline
- 2025-11-26 - GitLab publishes patch release and security advisory
- 2025-11-26 - CVE-2025-12571 published to NVD
- 2025-12-10 - Last updated in NVD database
Technical Details for CVE-2025-12571
Vulnerability Analysis
The vulnerability resides in GitLab's handling of incoming JSON payloads on network-accessible endpoints. An attacker crafts a request containing a malicious JSON body that the application parses without sufficient resource bounds. Processing the payload consumes excessive CPU or memory, degrading service availability or crashing the Puma worker handling the request. Because the affected endpoints are reachable before authentication, any actor able to reach the GitLab web tier can exercise the flaw.
GitLab addressed the issue in versions 18.4.5, 18.5.3, and 18.6.1. Refer to the GitLab Patch Release Notes and the HackerOne Report #3362239 for vendor details.
Root Cause
The root cause maps to [CWE-770]: Allocation of Resources Without Limits or Throttling. GitLab's request pipeline accepts JSON input without enforcing strict size, depth, or complexity constraints on untrusted payloads. Parsing pathological JSON structures forces the server to allocate disproportionate compute or memory, exhausting worker capacity.
Attack Vector
Exploitation requires only network reachability to a vulnerable GitLab instance. The attacker sends HTTP requests with malicious JSON bodies to an affected endpoint. No credentials, tokens, or user interaction are required. Repeated or parallelized requests can sustain a denial of service against the instance. Internet-exposed GitLab servers are at highest risk.
No verified public proof-of-concept code is currently available. See the GitLab Issue Discussion for additional context.
Detection Methods for CVE-2025-12571
Indicators of Compromise
- Unauthenticated HTTP POST or PUT requests to GitLab API or web endpoints with abnormally large or deeply nested JSON bodies.
- Spikes in Puma worker memory consumption, request timeouts, or 502/503 responses correlated with external client IPs.
- Repeated requests from the same source addresses against JSON-accepting endpoints prior to authentication.
Detection Strategies
- Inspect reverse proxy or load balancer logs (NGINX, HAProxy) for requests with oversized Content-Length values targeting GitLab JSON endpoints.
- Correlate GitLab production_json.log entries showing elevated duration_s or worker terminations with concurrent unauthenticated requests.
- Deploy WAF rules to flag JSON payloads exceeding reasonable depth and size thresholds before they reach the GitLab application.
Monitoring Recommendations
- Alert on sustained increases in CPU, memory, or worker restart rates on GitLab Rails nodes.
- Track the ratio of unauthenticated to authenticated requests on API endpoints and alert on anomalies.
- Monitor upstream timeout and 5xx error rates from the GitLab reverse proxy as early indicators of resource exhaustion.
How to Mitigate CVE-2025-12571
Immediate Actions Required
- Upgrade self-managed GitLab instances to 18.6.1, 18.5.3, or 18.4.5 without delay.
- Restrict network exposure of the GitLab web tier to trusted networks or authenticated VPN users where feasible.
- Place a WAF or reverse proxy in front of GitLab and enforce request body size, JSON depth, and rate limits.
Patch Information
GitLab released fixed versions 18.4.5, 18.5.3, and 18.6.1 on 2025-11-26. GitLab.com runs the patched code. Self-managed administrators must upgrade their installations using the standard package, Helm chart, or Omnibus upgrade procedures documented in the GitLab Patch Release Notes.
Workarounds
- Enforce strict client_max_body_size and request rate limits in the front-end NGINX or reverse proxy configuration.
- Block or rate-limit unauthenticated requests to JSON-accepting endpoints at the WAF until patches are applied.
- Restrict access to the GitLab instance via IP allowlists or network segmentation until upgrade windows complete.
# Example NGINX hardening for the GitLab front-end
http {
limit_req_zone $binary_remote_addr zone=gitlab_api:10m rate=10r/s;
server {
client_max_body_size 10m;
client_body_buffer_size 128k;
location /api/ {
limit_req zone=gitlab_api burst=20 nodelay;
proxy_pass http://gitlab_upstream;
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
