CVE-2025-3922 Overview
A denial of service vulnerability has been identified in GitLab CE/EE that allows an authenticated user to overwhelm system resources through the GraphQL API. The vulnerability stems from insufficient resource allocation limits, enabling attackers to exhaust server resources under certain conditions. This issue affects a wide range of GitLab versions, making it a significant concern for organizations running affected installations.
Critical Impact
Authenticated attackers can cause service disruption by exploiting insufficient resource limits in the GraphQL API, potentially rendering GitLab instances unavailable to legitimate users.
Affected Products
- GitLab Community Edition (CE) versions 12.4 to before 18.9.6
- GitLab Enterprise Edition (EE) versions 12.4 to before 18.9.6
- GitLab CE/EE versions 18.10 to before 18.10.4
- GitLab CE/EE version 18.11.0 (fixed in 18.11.1)
Discovery Timeline
- 2026-04-22 - CVE-2025-3922 published to NVD
- 2026-04-22 - GitLab releases security patch (versions 18.11.1, 18.10.4, and 18.9.6)
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-3922
Vulnerability Analysis
This vulnerability is classified as CWE-770 (Allocation of Resources Without Limits or Throttling). The GitLab GraphQL API implementation lacks adequate safeguards to prevent resource exhaustion attacks. An authenticated user can craft specific GraphQL queries that consume excessive server resources, including CPU, memory, or database connections. The network-accessible nature of the vulnerability combined with low attack complexity makes it relatively straightforward for an authenticated attacker to exploit.
The vulnerability requires low privileges to exploit, meaning any authenticated GitLab user could potentially launch a denial of service attack against the instance. While there is no impact on confidentiality or integrity, the availability impact is high, as successful exploitation can render the GitLab instance unresponsive.
Root Cause
The root cause lies in insufficient resource allocation limits within the GitLab GraphQL API implementation. The API fails to properly constrain the resources that can be consumed by individual queries or sessions. This includes inadequate query complexity limits, missing rate limiting mechanisms, or insufficient timeout configurations that would normally prevent resource exhaustion scenarios.
Attack Vector
The attack is conducted over the network against the GitLab GraphQL API endpoint. An attacker with valid authentication credentials can submit specially crafted GraphQL queries designed to consume excessive server resources. The attack requires no user interaction and can be executed with low complexity.
Common attack patterns against GraphQL APIs with insufficient resource limits include:
- Deeply nested queries that cause exponential processing overhead
- Batch queries requesting large numbers of objects simultaneously
- Queries with circular fragment references
- Requests that trigger expensive database operations or joins
The vulnerability can be exploited remotely by any authenticated user, making internal threat actors or compromised accounts potential attack vectors.
Detection Methods for CVE-2025-3922
Indicators of Compromise
- Abnormal spikes in CPU or memory utilization on GitLab servers during GraphQL API requests
- Unusual query patterns in GraphQL API logs showing deeply nested or exceptionally complex queries
- Authentication logs showing repeated API access from the same user account with high query volumes
- Database connection exhaustion or timeout errors correlated with GraphQL endpoint activity
Detection Strategies
- Monitor GitLab application logs for GraphQL queries with excessive complexity scores
- Implement network-level monitoring for high-frequency requests to the /api/graphql endpoint
- Configure alerting for abnormal resource consumption patterns on GitLab server infrastructure
- Review authentication logs for accounts making unusual numbers of GraphQL API calls
Monitoring Recommendations
- Enable detailed logging for GraphQL API requests to capture query structure and execution times
- Set up performance baseline monitoring to detect deviations in response times and resource utilization
- Implement application performance monitoring (APM) to track GraphQL resolver execution metrics
- Configure SentinelOne Singularity Platform to monitor for process anomalies and resource exhaustion patterns on GitLab hosts
How to Mitigate CVE-2025-3922
Immediate Actions Required
- Upgrade GitLab CE/EE to version 18.11.1, 18.10.4, or 18.9.6 depending on your current version branch
- If immediate patching is not possible, implement rate limiting at the network or application layer for the GraphQL API endpoint
- Review and audit GraphQL query complexity limits in your current GitLab configuration
- Monitor for signs of active exploitation while patch deployment is in progress
Patch Information
GitLab has released patched versions that address this vulnerability. Organizations should upgrade to the following versions based on their current deployment:
- Version 18.11.1 for installations on the 18.11.x branch
- Version 18.10.4 for installations on the 18.10.x branch
- Version 18.9.6 for installations on earlier version branches (12.4 through 18.9.x)
Refer to the GitLab Patch Release Announcement for complete upgrade instructions and additional security fixes included in these releases.
Workarounds
- Implement a reverse proxy or web application firewall (WAF) to rate limit requests to the /api/graphql endpoint
- Configure network-level throttling to limit the number of concurrent connections from individual IP addresses
- Review and restrict GraphQL API access to only essential users and integrations until patching is completed
- Consider temporarily disabling the GraphQL API if it is not critical to your operations while awaiting patch deployment
# Example: Rate limiting GraphQL API using nginx (temporary workaround)
# Add to nginx configuration for GitLab proxy
limit_req_zone $binary_remote_addr zone=graphql_limit:10m rate=10r/s;
location /api/graphql {
limit_req zone=graphql_limit burst=20 nodelay;
proxy_pass http://gitlab_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
