CVE-2025-3922 Overview
CVE-2025-3922 is a denial of service vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). The flaw resides in the GraphQL API, where insufficient resource allocation limits allow an authenticated user to overwhelm system resources under certain conditions. The issue affects all versions from 12.4 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1. GitLab patched the vulnerability in the 18.11.1 release on April 22, 2026. The weakness is classified as [CWE-770]: Allocation of Resources Without Limits or Throttling.
Critical Impact
An authenticated attacker can trigger high availability impact on GitLab instances by issuing crafted GraphQL queries that consume excessive system resources, disrupting service for all users.
Affected Products
- GitLab Community Edition (CE) versions 12.4 through 18.9.5
- GitLab Enterprise Edition (EE) versions 18.10 through 18.10.3
- GitLab CE/EE version 18.11.0
Discovery Timeline
- 2026-04-22 - GitLab releases security patch in version 18.11.1
- 2026-04-22 - CVE-2025-3922 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-3922
Vulnerability Analysis
The vulnerability stems from insufficient resource allocation limits in the GitLab GraphQL API. GraphQL allows clients to request complex, nested data structures in a single query. Without proper depth, complexity, or rate limiting controls, a single request can fan out to consume substantial CPU, memory, or database resources on the server.
An authenticated user, holding any valid account on the instance, can submit queries that trigger expensive backend operations. Under certain conditions described by GitLab, these queries exhaust system resources and degrade or halt availability for other users. The flaw does not expose data confidentiality or integrity. The impact is limited to availability.
Root Cause
The root cause is the absence of adequate guardrails on GraphQL query cost, depth, or concurrent execution within the affected GitLab versions. GitLab's resolver code did not enforce strict limits sufficient to block resource-amplifying queries. This maps directly to [CWE-770] Allocation of Resources Without Limits or Throttling.
Attack Vector
Exploitation requires network access to the GitLab GraphQL endpoint, typically /api/graphql, and valid authenticated credentials with low privileges. No user interaction is required from victims. An attacker submits one or more crafted GraphQL queries designed to amplify backend work, leading to denial of service. Full technical details are available in the GitLab Work Item #537422 and HackerOne Report #3098035.
Detection Methods for CVE-2025-3922
Indicators of Compromise
- Spikes in CPU, memory, or database load on GitLab application or Sidekiq workers correlated with requests to /api/graphql.
- Repeated GraphQL POST requests from a single authenticated user or token with unusually large payloads or deep nested selection sets.
- Elevated error rates, request timeouts, or 502/503 responses from the GitLab web frontend during query bursts.
Detection Strategies
- Parse GitLab production_json.log and api_json.log for GraphQL requests and flag entries with high duration_s, large params payloads, or repeated requests from the same user_id.
- Implement query introspection at a reverse proxy or WAF to score GraphQL operations by depth and field count, alerting on outliers.
- Correlate authentication events with sudden resource consumption to identify abusive tokens or accounts.
Monitoring Recommendations
- Track GraphQL endpoint latency, throughput, and error rates as a dedicated service-level indicator.
- Monitor PostgreSQL and Redis for long-running queries and connection saturation originating from GitLab application nodes.
- Alert on per-user GraphQL request volume and aggregate query complexity exceeding baseline thresholds.
How to Mitigate CVE-2025-3922
Immediate Actions Required
- Upgrade GitLab CE/EE to 18.9.6, 18.10.4, or 18.11.1 or later, depending on your current release branch.
- Audit GraphQL API access logs for abusive query patterns prior to patching.
- Restrict GitLab instance access to trusted networks where feasible, especially for self-managed deployments exposed to the internet.
Patch Information
GitLab released fixed versions on April 22, 2026. Refer to the GitLab Patch Release Announcement for complete upgrade instructions. The patch introduces stricter resource allocation limits on GraphQL query execution.
Workarounds
- Place a rate-limiting reverse proxy or API gateway in front of the /api/graphql endpoint to cap request frequency per user and token.
- Disable or restrict GraphQL API access for low-trust user tiers if business workflows allow.
- Temporarily revoke personal access tokens not in active use to reduce the attacker surface until patching completes.
# Example NGINX rate limit for the GitLab GraphQL endpoint
limit_req_zone $http_authorization zone=graphql_rl:10m rate=10r/s;
location /api/graphql {
limit_req zone=graphql_rl burst=20 nodelay;
proxy_pass http://gitlab_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
