CVE-2025-8099
📋 TL;DR
This vulnerability allows unauthenticated attackers to send repeated GraphQL queries to GitLab instances, causing denial of service by exhausting server resources. It affects all GitLab Community Edition and Enterprise Edition installations running vulnerable versions. The issue impacts availability but does not enable data theft or privilege escalation.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability for all users, requiring manual intervention to restore functionality.
Likely Case
Degraded performance or temporary service interruptions affecting legitimate users.
If Mitigated
Minimal impact with proper rate limiting and monitoring in place.
🎯 Exploit Status
Attack requires no authentication and can be performed with simple HTTP requests to the GraphQL endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.6.6, 18.7.4, or 18.8.4
Vendor Advisory: https://about.gitlab.com/releases/2026/02/10/patch-release-gitlab-18-8-4-released/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to patched version using your package manager (apt/yum). 3. Run 'gitlab-ctl reconfigure'. 4. Restart GitLab services.
🔧 Temporary Workarounds
Rate Limit GraphQL Endpoint
linuxImplement rate limiting on /api/graphql endpoint using web server or WAF rules.
# Example nginx rate limiting: limit_req_zone $binary_remote_addr zone=graphql:10m rate=10r/s;
# Add to location /api/graphql: limit_req zone=graphql burst=20 nodelay;
Restrict GraphQL Access
linuxBlock unauthenticated access to GraphQL endpoint using firewall rules.
# iptables example: iptables -A INPUT -p tcp --dport 80 -m string --string "POST /api/graphql" --algo bm -j DROP
🧯 If You Can't Patch
- Implement strict rate limiting on GraphQL endpoints using WAF or reverse proxy.
- Monitor for unusual GraphQL query patterns and implement automated blocking.
🔍 How to Verify
Check if Vulnerable:
Check GitLab version with: sudo gitlab-rake gitlab:env:info | grep 'Version:'Check Version:
sudo gitlab-rake gitlab:env:info | grep 'Version:'Verify Fix Applied:
Confirm version is 18.6.6, 18.7.4, or 18.8.4 or higher.📡 Detection & Monitoring
Log Indicators:
- High frequency of POST requests to /api/graphql from single IP
- Increased error rates or timeout responses in application logs
Network Indicators:
- Unusual spike in traffic to GraphQL endpoint
- Multiple identical GraphQL queries from same source
SIEM Query:
source="gitlab.logs" AND (uri_path="/api/graphql" AND status>=500) | stats count by src_ip