CVE-2025-2256
📋 TL;DR
This vulnerability allows unauthenticated attackers to send multiple large SAML responses to GitLab instances, causing denial of service by making the service unresponsive to legitimate users. It affects all GitLab Community Edition and Enterprise Edition installations with vulnerable versions that have SAML authentication enabled.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Complete service outage where GitLab becomes completely unresponsive, disrupting all development workflows, CI/CD pipelines, and code management operations.
Likely Case
Intermittent service degradation or temporary unavailability affecting user authentication and access to repositories, issues, and pipelines.
If Mitigated
Minimal impact with proper rate limiting, network controls, and monitoring in place to detect and block malicious SAML traffic.
🎯 Exploit Status
Attack requires sending multiple concurrent large SAML responses to the SAML endpoint. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.1.6, 18.2.6, or 18.3.2
Vendor Advisory: https://about.gitlab.com/releases/2025/09/10/patch-release-gitlab-18-3-2-released/
Restart Required: Yes
Instructions:
1. Backup GitLab instance. 2. Update to patched version using your deployment method (Omnibus, Helm, source). 3. Restart GitLab services. 4. Verify SAML authentication works post-update.
🔧 Temporary Workarounds
Rate Limit SAML Endpoints
linuxImplement rate limiting on /users/auth/saml/callback endpoint to prevent multiple concurrent requests
# Configure in nginx or load balancer
limit_req_zone $binary_remote_addr zone=saml:10m rate=10r/s;
location /users/auth/saml/callback {
limit_req zone=saml burst=20 nodelay;
}
Disable SAML Authentication
linuxTemporarily disable SAML authentication if not critically required
# Edit gitlab.rb
omniauth['enabled'] = false
# or disable specific SAML provider
omniauth_providers = []
# Reconfigure GitLab
gitlab-ctl reconfigure
🧯 If You Can't Patch
- Implement WAF rules to block or rate limit large SAML responses
- Use network segmentation to restrict access to SAML endpoints to trusted sources only
🔍 How to Verify
Check if Vulnerable:
Check GitLab version and verify SAML is enabled. Vulnerable if version is in affected range and SAML configured.Check Version:
sudo gitlab-rake gitlab:env:info | grep VersionVerify Fix Applied:
Verify GitLab version is 18.1.6, 18.2.6, or 18.3.2 or higher. Test SAML authentication functionality.📡 Detection & Monitoring
Log Indicators:
- Multiple large SAML response entries in auth.log
- Increased error rates on SAML endpoints
- High memory/CPU usage spikes
Network Indicators:
- Unusual volume of traffic to /users/auth/saml/callback
- Multiple concurrent SAML requests from single IP
SIEM Query:
source="gitlab.log" AND "SAML" AND (response_size>10000 OR status=500) | stats count by src_ip