CVE-2025-12562
📋 TL;DR
This vulnerability allows unauthenticated attackers to send specially crafted GraphQL queries that bypass complexity limits, causing denial of service in GitLab instances. All GitLab CE/EE deployments running affected versions are vulnerable. The attack requires no authentication and can be performed remotely.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability for all GitLab users, potentially requiring manual intervention to restore service.
Likely Case
Degraded performance or temporary service disruption affecting user productivity and CI/CD pipelines.
If Mitigated
Minimal impact with proper rate limiting, WAF rules, and network segmentation in place.
🎯 Exploit Status
Attack requires crafting specific GraphQL queries but no authentication or special privileges needed. Public details available in HackerOne report.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.4.6, 18.5.4, or 18.6.2
Vendor Advisory: https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to patched version using your deployment method (Omnibus, Helm, source). 3. Restart GitLab services. 4. Verify update with version check.
🔧 Temporary Workarounds
Rate Limit GraphQL Endpoints
linuxImplement rate limiting on /api/graphql endpoints to reduce DoS impact
# Configure in nginx or load balancer
location /api/graphql {
limit_req zone=graphql burst=10 nodelay;
}
WAF Rule for GraphQL Complexity
allAdd WAF rules to detect and block excessive GraphQL query complexity
# ModSecurity rule example
SecRule REQUEST_URI "@streq /api/graphql" \
"id:1001,phase:2,deny,status:400,msg:'GraphQL complexity limit exceeded'"
🧯 If You Can't Patch
- Implement network-level restrictions to limit GraphQL endpoint access to trusted sources only
- Deploy additional monitoring and alerting for unusual GraphQL query patterns or resource consumption spikes
🔍 How to Verify
Check if Vulnerable:
Check GitLab version with: sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Check Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Verify Fix Applied:
Confirm version is 18.4.6, 18.5.4, 18.6.2 or higher, then test GraphQL endpoint with complex queries📡 Detection & Monitoring
Log Indicators:
- High frequency of GraphQL requests from single IP
- Unusually large GraphQL query payloads
- Increased CPU/memory usage on GitLab servers
Network Indicators:
- Bursts of POST requests to /api/graphql endpoint
- Abnormal request patterns outside business hours
SIEM Query:
source="gitlab" (uri_path="/api/graphql") | stats count by src_ip | where count > 100