18.8.9
18.9.5
18.10.3
CVE-2025-12664 describes a denial-of-service (DoS) vulnerability discovered in GitLab Community Edition (CE) and Enterprise Edition (EE). This flaw allows an unauthenticated user to overwhelm GitLab servers by sending a high volume of GraphQL queries, potentially leading to service disruption. The vulnerability impacts versions from 13.0.0 up to 18.10.3, and a fix is available in version 18.10.3.
The primary impact of CVE-2025-12664 is a denial-of-service condition. A malicious actor can exploit this vulnerability to render GitLab unavailable to legitimate users. This could disrupt critical development workflows, prevent access to repositories, and potentially impact CI/CD pipelines. The ease of exploitation, requiring only unauthenticated requests, increases the risk of widespread attacks. While the vulnerability doesn't directly lead to data exfiltration or code execution, prolonged DoS can effectively cripple GitLab instances, causing significant operational and financial consequences.
CVE-2025-12664 was publicly disclosed on 2026-04-08. There is no indication of active exploitation at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the ease of sending GraphQL requests suggests a potential for rapid exploitation if a PoC is released.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2025-12664 is to immediately upgrade GitLab to version 18.10.3 or later. If upgrading is not immediately feasible, implement temporary workarounds to reduce the attack surface. These include configuring rate limiting on GraphQL endpoints to restrict the number of requests per user or IP address. Web application firewalls (WAFs) can also be configured to detect and block malicious GraphQL query patterns. Monitoring GitLab logs for unusual query activity is crucial for early detection.
Update GitLab to version 18.8.9 or later, 18.9.5 or later, or 18.10.3 or later to mitigate the vulnerability. This update corrects an input validation flaw in the specified quantity that could allow an unauthenticated user to cause a denial of service by sending repeated GraphQL queries.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-12664 is a denial-of-service vulnerability in GitLab allowing unauthenticated users to cause service disruption via repeated GraphQL queries.
You are affected if you are running GitLab versions 13.0.0 through 18.10.3. Upgrade to 18.10.3 or later to mitigate the risk.
The primary fix is to upgrade GitLab to version 18.10.3 or later. Temporary workarounds include rate limiting and WAF configuration.
There is currently no public evidence of active exploitation, but the ease of exploitation suggests a potential risk.
Refer to the official GitLab security advisory for CVE-2025-12664: [https://gitlab.com/security/security-advisories/CVE-2025-12664](https://gitlab.com/security/security-advisories/CVE-2025-12664)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.