CVE-2025-8014
📋 TL;DR
This CVE describes a GraphQL query complexity bypass vulnerability in GitLab EE/CE that allows unauthenticated attackers to send specially crafted queries that bypass complexity limits, potentially causing resource exhaustion and denial of service. All GitLab instances running affected versions are vulnerable, and exploitation requires no authentication.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption through resource exhaustion, making GitLab unavailable to all users until manual intervention restores service.
Likely Case
Performance degradation and intermittent service outages affecting user productivity and CI/CD pipelines.
If Mitigated
Minimal impact with proper rate limiting, monitoring, and network controls in place to detect and block malicious queries.
🎯 Exploit Status
Exploitation requires crafting GraphQL queries that bypass complexity limits but doesn't require special tools or deep technical knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.2.7, 18.3.3, or 18.4.1
Vendor Advisory: https://gitlab.com/gitlab-org/gitlab/-/issues/556838
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab 18.2.7, 18.3.3, or 18.4.1 depending on your current version track. 3. Restart GitLab services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Rate Limit GraphQL Endpoints
linuxImplement rate limiting on /api/graphql endpoints to reduce impact of DoS attempts
# Configure in nginx or load balancer
limit_req_zone $binary_remote_addr zone=graphql:10m rate=10r/s;
location /api/graphql {
limit_req zone=graphql burst=20 nodelay;
proxy_pass http://gitlab;
}
Restrict GraphQL Access
linuxBlock unauthenticated access to GraphQL endpoints or restrict to internal networks
# In nginx configuration
location /api/graphql {
allow 10.0.0.0/8; # Internal network
allow 192.168.0.0/16;
deny all;
proxy_pass http://gitlab;
}
🧯 If You Can't Patch
- Implement strict network ACLs to restrict GraphQL endpoint access to trusted IPs only
- Deploy WAF rules to detect and block suspicious GraphQL query patterns
🔍 How to Verify
Check if Vulnerable:
Check GitLab version with: sudo gitlab-rake gitlab:env:info | grep 'Version:'Check Version:
sudo gitlab-rake gitlab:env:info | grep 'Version:'Verify Fix Applied:
Verify version is 18.2.7, 18.3.3, or 18.4.1 or higher, and test GraphQL endpoint with complex queries📡 Detection & Monitoring
Log Indicators:
- High CPU/memory usage spikes
- Multiple failed/complex GraphQL queries from single IPs
- GraphQL query timeouts in logs
Network Indicators:
- Unusual spike in requests to /api/graphql endpoint
- Large payloads to GraphQL endpoint from external IPs
SIEM Query:
source="gitlab" AND ("graphql" OR "/api/graphql") AND (status=500 OR duration>5000)