CVE-2025-10004 (GCVE-0-2025-10004)
Vulnerability from cvelistv5
Published
2025-10-09 12:04
Modified
2025-10-09 13:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Summary
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.12 to 18.2.8, 18.3 to 18.3.4, and 18.4 to 18.4.2 that could make the GitLab instance unresponsive or severely degraded by sending crafted GraphQL queries requesting large repository blobs.
References
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-10004", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-10-09T13:15:06.752510Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-10-09T13:16:38.980Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "cpes": [ "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*" ], "defaultStatus": "unaffected", "product": "GitLab", "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "vendor": "GitLab", "versions": [ { "lessThan": "18.2.8", "status": "affected", "version": "13.12", "versionType": "semver" }, { "lessThan": "18.3.4", "status": "affected", "version": "18.3", "versionType": "semver" }, { "lessThan": "18.4.2", "status": "affected", "version": "18.4", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Thanks [pwnie](https://hackerone.com/pwnie) for reporting this vulnerability through our HackerOne bug bounty program" } ], "descriptions": [ { "lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.12 to 18.2.8, 18.3 to 18.3.4, and 18.4 to 18.4.2 that could make the GitLab instance unresponsive or severely degraded by sending crafted GraphQL queries requesting large repository blobs." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-10-09T12:04:30.109Z", "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab" }, "references": [ { "url": "https://about.gitlab.com/releases/2025/10/08/patch-release-gitlab-18-4-2-released/" }, { "name": "GitLab Issue #568121", "tags": [ "issue-tracking", "permissions-required" ], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/568121" }, { "name": "HackerOne Bug Bounty Report #3026555", "tags": [ "technical-description", "exploit", "permissions-required" ], "url": "https://hackerone.com/reports/3026555" } ], "solutions": [ { "lang": "en", "value": "Upgrade to version 18.2.8, 18.3.4 or 18.4.2" } ], "title": "Allocation of Resources Without Limits or Throttling in GitLab" } }, "cveMetadata": { "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "assignerShortName": "GitLab", "cveId": "CVE-2025-10004", "datePublished": "2025-10-09T12:04:30.109Z", "dateReserved": "2025-09-04T18:33:25.673Z", "dateUpdated": "2025-10-09T13:16:38.980Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2025-10004\",\"sourceIdentifier\":\"cve@gitlab.com\",\"published\":\"2025-10-09T12:15:34.570\",\"lastModified\":\"2025-10-09T15:50:04.013\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.12 to 18.2.8, 18.3 to 18.3.4, and 18.4 to 18.4.2 that could make the GitLab instance unresponsive or severely degraded by sending crafted GraphQL queries requesting large repository blobs.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@gitlab.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"cve@gitlab.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"references\":[{\"url\":\"https://about.gitlab.com/releases/2025/10/08/patch-release-gitlab-18-4-2-released/\",\"source\":\"cve@gitlab.com\"},{\"url\":\"https://gitlab.com/gitlab-org/gitlab/-/issues/568121\",\"source\":\"cve@gitlab.com\"},{\"url\":\"https://hackerone.com/reports/3026555\",\"source\":\"cve@gitlab.com\"}]}}", "vulnrichment": { "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-10004\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-09T13:15:06.752510Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-09T13:16:30.362Z\"}}], \"cna\": {\"title\": \"Allocation of Resources Without Limits or Throttling in GitLab\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Thanks [pwnie](https://hackerone.com/pwnie) for reporting this vulnerability through our HackerOne bug bounty program\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*\"], \"repo\": \"git://git@gitlab.com:gitlab-org/gitlab.git\", \"vendor\": \"GitLab\", \"product\": \"GitLab\", \"versions\": [{\"status\": \"affected\", \"version\": \"13.12\", \"lessThan\": \"18.2.8\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"18.3\", \"lessThan\": \"18.3.4\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"18.4\", \"lessThan\": \"18.4.2\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Upgrade to version 18.2.8, 18.3.4 or 18.4.2\"}], \"references\": [{\"url\": \"https://about.gitlab.com/releases/2025/10/08/patch-release-gitlab-18-4-2-released/\"}, {\"url\": \"https://gitlab.com/gitlab-org/gitlab/-/issues/568121\", \"name\": \"GitLab Issue #568121\", \"tags\": [\"issue-tracking\", \"permissions-required\"]}, {\"url\": \"https://hackerone.com/reports/3026555\", \"name\": \"HackerOne Bug Bounty Report #3026555\", \"tags\": [\"technical-description\", \"exploit\", \"permissions-required\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.12 to 18.2.8, 18.3 to 18.3.4, and 18.4 to 18.4.2 that could make the GitLab instance unresponsive or severely degraded by sending crafted GraphQL queries requesting large repository blobs.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"ceab7361-8a18-47b1-92ba-4d7d25f6715a\", \"shortName\": \"GitLab\", \"dateUpdated\": \"2025-10-09T12:04:30.109Z\"}}}", "cveMetadata": "{\"cveId\": \"CVE-2025-10004\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-09T13:16:38.980Z\", \"dateReserved\": \"2025-09-04T18:33:25.673Z\", \"assignerOrgId\": \"ceab7361-8a18-47b1-92ba-4d7d25f6715a\", \"datePublished\": \"2025-10-09T12:04:30.109Z\", \"assignerShortName\": \"GitLab\"}", "dataType": "CVE_RECORD", "dataVersion": "5.1" } } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…