CVE-2025-12664 Overview
A denial of service vulnerability has been identified in GitLab CE/EE that allows unauthenticated attackers to disrupt service availability through repeated GraphQL queries. This vulnerability affects a wide range of GitLab versions spanning from 13.0 through multiple major releases, creating a significant exposure window for organizations using self-hosted GitLab instances.
Critical Impact
Unauthenticated attackers can cause denial of service by sending repeated GraphQL queries, potentially disrupting critical DevOps workflows and CI/CD pipelines.
Affected Products
- GitLab CE/EE versions 13.0 before 18.8.9
- GitLab CE/EE versions 18.9 before 18.9.5
- GitLab CE/EE versions 18.10 before 18.10.3
Discovery Timeline
- 2026-04-08 - CVE CVE-2025-12664 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2025-12664
Vulnerability Analysis
This vulnerability is classified under CWE-1284 (Improper Validation of Specified Quantity in Input), indicating that the GitLab GraphQL endpoint fails to properly validate or limit the quantity of incoming requests. The attack can be executed remotely over the network without requiring any authentication or user interaction, making it particularly dangerous for internet-facing GitLab instances.
The vulnerability resides in GitLab's GraphQL API implementation, which provides a flexible query interface for accessing repository data, user information, and project metadata. When an attacker sends repeated or specially crafted GraphQL queries, the server fails to adequately rate-limit or validate the request volume, leading to resource exhaustion and service unavailability.
Root Cause
The root cause stems from improper validation of specified quantity in input (CWE-1284). The GraphQL endpoint lacks sufficient controls to prevent abuse through repeated query submissions. This could manifest as missing rate limiting, inadequate query complexity analysis, or insufficient resource quotas for anonymous users accessing the GraphQL API.
Attack Vector
The attack is network-based and requires no privileges or user interaction. An attacker can exploit this vulnerability by:
- Identifying the GitLab GraphQL endpoint (typically /api/graphql)
- Crafting queries that consume server resources
- Sending repeated requests to exhaust server capacity
- Causing denial of service for legitimate users
The vulnerability is particularly concerning because it can be exploited by completely unauthenticated users, allowing anonymous attackers to impact GitLab service availability without any prior access to the system.
Detection Methods for CVE-2025-12664
Indicators of Compromise
- Unusual spike in requests to the /api/graphql endpoint from single or multiple IP addresses
- Elevated server resource consumption (CPU, memory) correlated with GraphQL query processing
- Error logs indicating GraphQL query timeouts or resource exhaustion
- Repeated failed or slow responses from the GitLab web interface during attack periods
Detection Strategies
- Implement monitoring for abnormal request rates to the GraphQL API endpoint
- Configure alerting on elevated HTTP 5xx errors from the GitLab application
- Deploy web application firewall (WAF) rules to detect GraphQL query flooding patterns
- Monitor server resource metrics for sudden spikes in CPU and memory utilization
Monitoring Recommendations
- Enable detailed logging for GraphQL API requests including source IPs and query content
- Implement baseline monitoring for normal GraphQL traffic patterns to identify anomalies
- Configure real-time alerts for request volume thresholds on the /api/graphql endpoint
- Review network traffic logs for patterns consistent with automated query submission
How to Mitigate CVE-2025-12664
Immediate Actions Required
- Update GitLab CE/EE to patched versions: 18.8.9, 18.9.5, or 18.10.3 depending on your current major version
- Implement rate limiting on the GraphQL endpoint using a reverse proxy or WAF
- Consider temporarily restricting GraphQL API access to authenticated users only if immediate patching is not possible
- Monitor GitLab instances for signs of active exploitation
Patch Information
GitLab has released patches addressing this vulnerability in versions 18.8.9, 18.9.5, and 18.10.3. Organizations should upgrade to the appropriate patched version based on their current GitLab installation. For detailed patch information, refer to the GitLab Patch Release Announcement and the GitLab Work Item Detail. The vulnerability was originally reported via the HackerOne Security Report.
Workarounds
- Deploy a reverse proxy or load balancer with rate limiting capabilities in front of GitLab
- Configure firewall rules to limit the rate of requests to the /api/graphql endpoint
- Temporarily disable GraphQL API access for unauthenticated users if your workflow permits
- Implement IP-based blocking for sources generating excessive GraphQL requests
# Example nginx rate limiting configuration for GraphQL endpoint
limit_req_zone $binary_remote_addr zone=graphql:10m rate=10r/s;
location /api/graphql {
limit_req zone=graphql burst=20 nodelay;
proxy_pass http://gitlab_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
