CVE-2025-11447
📋 TL;DR
This vulnerability allows unauthenticated attackers to cause denial of service in GitLab instances by sending specially crafted GraphQL requests with malicious JSON payloads. All GitLab Community Edition and Enterprise Edition installations running affected versions are vulnerable. The attack requires no authentication and can disrupt service availability.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability for all GitLab users, potentially disrupting development workflows, CI/CD pipelines, and code repository access.
Likely Case
Partial or intermittent service degradation affecting GitLab availability, potentially impacting development teams and automated processes.
If Mitigated
Minimal impact with proper rate limiting, WAF rules, and network segmentation in place to block malicious GraphQL requests.
🎯 Exploit Status
Attack requires crafting specific JSON payloads to GraphQL endpoint. No authentication needed. Exploit details may be available in HackerOne report.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.3.5, 18.4.3, or 18.5.1
Vendor Advisory: https://about.gitlab.com/releases/2025/10/22/patch-release-gitlab-18-5-1-released/
Restart Required: Yes
Instructions:
1. Backup GitLab instance. 2. Update to patched version using package manager (apt/yum) or Omnibus installer. 3. Restart GitLab services. 4. Verify update with version check.
🔧 Temporary Workarounds
Rate Limit GraphQL Endpoints
linuxImplement rate limiting on /api/graphql endpoints to prevent DoS attacks
# Configure in GitLab nginx config or load balancer
# Example: limit_req_zone $binary_remote_addr zone=graphql:10m rate=10r/s;
WAF Rule for GraphQL Payloads
allAdd WAF rules to block malformed JSON payloads to GraphQL endpoints
# Example ModSecurity rule:
SecRule REQUEST_URI "@streq /api/graphql" "id:1001,phase:2,deny,status:400,msg:'Blocking GraphQL DoS attempt'"
🧯 If You Can't Patch
- Implement strict network ACLs to restrict access to GitLab GraphQL endpoints
- Deploy WAF with JSON payload inspection and rate limiting rules
🔍 How to Verify
Check if Vulnerable:
Check GitLab version against affected ranges. If running 11.0-18.3.4, 18.4.0-18.4.2, or 18.5.0, instance is vulnerable.Check Version:
sudo gitlab-rake gitlab:env:info | grep 'Version:'Verify Fix Applied:
Confirm GitLab version is 18.3.5, 18.4.3, or 18.5.1 or higher. Test GraphQL endpoint functionality.📡 Detection & Monitoring
Log Indicators:
- High volume of 400/500 errors from /api/graphql endpoint
- Unusual JSON parsing errors in application logs
- Increased CPU/memory usage on GitLab servers
Network Indicators:
- Spike in requests to /api/graphql from single IPs
- Large JSON payloads to GraphQL endpoints
- Unusual GraphQL query patterns
SIEM Query:
source="gitlab.logs" AND (uri_path="/api/graphql" AND (status>=400 OR message="JSON parsing error"))