CVE-2025-14870 Overview
CVE-2025-14870 is a denial of service vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). The flaw affects all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3. An unauthenticated attacker can send specially crafted JSON payloads to a vulnerable GitLab instance and exhaust server resources. The root cause is insufficient input validation, classified under [CWE-770] Allocation of Resources Without Limits or Throttling. GitLab has remediated the issue in patch releases 18.9.7, 18.10.6, and 18.11.3.
Critical Impact
Unauthenticated attackers can disrupt availability of GitLab CE/EE instances over the network without user interaction.
Affected Products
- GitLab CE/EE versions 18.5 through 18.9.6
- GitLab CE/EE versions 18.10 through 18.10.5
- GitLab CE/EE versions 18.11 through 18.11.2
Discovery Timeline
- 2026-05-13 - GitLab releases patch versions 18.11.3, 18.10.6, and 18.9.7
- 2026-05-14 - CVE-2025-14870 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2025-14870
Vulnerability Analysis
The vulnerability resides in GitLab's handling of JSON payloads submitted over the network. GitLab does not adequately validate the structure or size of incoming JSON before parsing it. An attacker can craft payloads that force the application to consume excessive CPU, memory, or other backend resources. Because the attack vector is the network and no authentication or user interaction is required, any reachable GitLab endpoint accepting JSON can serve as an entry point. The result is degraded service or full unavailability for legitimate users while the malicious request is processed.
Root Cause
The root cause is insufficient input validation on JSON request bodies, mapped to [CWE-770] Allocation of Resources Without Limits or Throttling. GitLab accepts and processes JSON inputs without enforcing strict bounds on parsing complexity or resource consumption. This permits a single request to drive disproportionate work on the server side.
Attack Vector
The attack is remote and unauthenticated. An attacker sends an HTTP request containing a crafted JSON body to a vulnerable GitLab endpoint. The server attempts to parse and process the input, exhausting resources and causing a denial of service condition. Repeated or parallel requests amplify the impact across the instance. Public proof-of-concept code is not referenced in the advisory. Technical details are tracked in the HackerOne Report #3446641 and the GitLab Work Item Update.
Detection Methods for CVE-2025-14870
Indicators of Compromise
- Sudden spikes in CPU or memory consumption on GitLab Rails, Puma, or Sidekiq workers without a correlated user activity increase.
- HTTP requests with unusually large or deeply nested JSON payloads directed at GitLab API endpoints.
- Increased rate of 5xx responses, request timeouts, or worker restarts in GitLab application logs.
Detection Strategies
- Inspect web server and reverse proxy logs for anomalous Content-Length values on POST, PUT, and PATCH requests with Content-Type: application/json.
- Correlate request patterns from single source IPs against availability metrics to identify resource-exhaustion attempts.
- Alert on repeated GitLab worker restarts or out-of-memory events reported by the host operating system.
Monitoring Recommendations
- Forward GitLab production logs, NGINX access logs, and host metrics into a centralized analytics platform for query and correlation.
- Track request latency percentiles and error rates per endpoint to detect abuse early.
- Establish baselines for JSON payload size distribution and alert on deviations.
How to Mitigate CVE-2025-14870
Immediate Actions Required
- Upgrade GitLab CE/EE to 18.11.3, 18.10.6, or 18.9.7 depending on the deployed branch.
- Restrict network exposure of GitLab management interfaces to trusted networks where possible.
- Place GitLab behind a reverse proxy or web application firewall (WAF) that enforces request size and rate limits.
Patch Information
GitLab released fixed versions on 2026-05-13. Administrators must upgrade to 18.9.7, 18.10.6, or 18.11.3. Full details are available in the GitLab Patch Release Note.
Workarounds
- Enforce strict maximum request body size limits on the upstream reverse proxy for endpoints accepting JSON.
- Apply per-source rate limiting at the load balancer or WAF to constrain unauthenticated request volume.
- Monitor and automatically restart unresponsive workers while the patch is being scheduled.
# Example NGINX configuration to limit JSON payload size and rate
http {
client_max_body_size 1m;
limit_req_zone $binary_remote_addr zone=gitlab_api:10m rate=10r/s;
server {
location /api/ {
limit_req zone=gitlab_api burst=20 nodelay;
proxy_pass http://gitlab_upstream;
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
