Scan free
HIGHCVE-2025-14869CVSS 7.5

CVE-2025-14869: DoS in GitLab

Platform

gitlab

Component

gitlab

Fixed in

18.11.3

View on NVD
Save

CVE-2025-14869 describes a denial-of-service vulnerability discovered in GitLab Community Edition (CE) and Enterprise Edition (EE). This flaw allows an unauthenticated user to trigger a DoS condition by exploiting specific API endpoints with specially crafted payloads. The vulnerability impacts versions 18.5.0 through 18.11.3 and is resolved in version 18.11.3.

Impact and Attack Scenarios

Successful exploitation of CVE-2025-14869 can lead to a denial-of-service condition, rendering affected GitLab instances unavailable to legitimate users. An attacker could repeatedly send malicious payloads, overwhelming the server's resources and causing it to crash or become unresponsive. The impact extends beyond simple service disruption; prolonged DoS attacks can hinder critical development workflows, impact CI/CD pipelines, and potentially lead to data loss if recovery is delayed. While the vulnerability requires no authentication, the attacker needs to be able to reach the targeted API endpoints, which might be restricted by firewalls or network configurations.

Exploitation Context

CVE-2025-14869 was published on 2026-05-14. The vulnerability's impact is considered high due to the potential for widespread service disruption. No public exploits or active campaigns have been reported at the time of writing. The vulnerability is not currently listed on KEV or EPSS, suggesting a low probability of immediate exploitation, but proactive patching is still recommended.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H7.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentgitlab
VendorGitLab
Minimum version18.5.0
Maximum version18.11.3
Fixed in18.11.3

Weakness Classification (CWE)

CWE-1284

Timeline

  1. Reserved
  2. Published

Mitigation and Workarounds

The primary mitigation for CVE-2025-14869 is to upgrade GitLab to version 18.11.3 or later. If immediate upgrading is not feasible, consider implementing rate limiting on the affected API endpoints to restrict the number of requests from a single source within a given timeframe. Web Application Firewalls (WAFs) configured to detect and block malicious payloads targeting API endpoints can also provide a temporary layer of protection. Review GitLab's network configuration to ensure only authorized traffic can access the API endpoints.

How to fix

Actualice GitLab a la versión 18.9.7 o superior, 18.10.6 o superior, o 18.11.3 o superior para mitigar la vulnerabilidad. Esta actualización corrige una falla de validación de cantidad en ciertos puntos finales de la API que podría permitir a un usuario no autenticado causar una denegación de servicio.

Frequently asked questions

What is CVE-2025-14869 — DoS in GitLab?

CVE-2025-14869 is a denial-of-service vulnerability in GitLab CE/EE allowing unauthenticated users to disrupt service by sending crafted payloads to specific API endpoints. It affects versions 18.5.0–18.11.3 and is rated HIGH severity.

Am I affected by CVE-2025-14869 in GitLab?

You are affected if you are running GitLab CE/EE versions 18.5.0 through 18.11.3. Upgrade to 18.11.3 or later to mitigate the risk.

How do I fix CVE-2025-14869 in GitLab?

The recommended fix is to upgrade GitLab to version 18.11.3 or a later version. As a temporary workaround, implement rate limiting on affected API endpoints.

Is CVE-2025-14869 being actively exploited?

Currently, there are no reports of CVE-2025-14869 being actively exploited, but proactive patching is still recommended to prevent potential future attacks.

Where can I find the official GitLab advisory for CVE-2025-14869?

Refer to the official GitLab security advisory for CVE-2025-14869 on the GitLab website: [https://gitlab.com/security/advisories/](https://gitlab.com/security/advisories/)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...