18.8.9
18.9.5
18.10.3
CVE-2025-12664 describes a denial-of-service (DoS) vulnerability discovered in GitLab Community Edition (CE) and Enterprise Edition (EE). This flaw allows an unauthenticated user to overwhelm GitLab servers by sending a high volume of GraphQL queries, potentially leading to service disruption. The vulnerability impacts versions from 13.0.0 up to 18.10.3, and a fix is available in version 18.10.3.
The primary impact of CVE-2025-12664 is a denial-of-service condition. A malicious actor can exploit this vulnerability to render GitLab unavailable to legitimate users. This could disrupt critical development workflows, prevent access to repositories, and potentially impact CI/CD pipelines. The ease of exploitation, requiring only unauthenticated requests, increases the risk of widespread attacks. While the vulnerability doesn't directly lead to data exfiltration or code execution, prolonged DoS can effectively cripple GitLab instances, causing significant operational and financial consequences.
CVE-2025-12664 was publicly disclosed on 2026-04-08. There is no indication of active exploitation at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the ease of sending GraphQL requests suggests a potential for rapid exploitation if a PoC is released.
Organizations heavily reliant on GitLab for source code management, CI/CD, and collaboration are at significant risk. Specifically, deployments with limited rate limiting or WAF protection are more vulnerable. Shared hosting environments where multiple users share the same GitLab instance are also at increased risk due to the potential for one user to impact all others.
• gitlab: Examine GitLab access logs for a high volume of GraphQL requests originating from a single IP address or user.
grep 'graphql' /var/log/gitlab/gitlab-rails/production.log | awk '{print $1}' | sort | uniq -c | sort -nr | head -10• linux / server: Monitor system resource utilization (CPU, memory) on the GitLab server. A sudden spike in resource usage could indicate a DoS attack.
top -b -n 1 | grep gitlab• generic web: Use curl to test the GitLab GraphQL endpoint and observe response times. Unusually slow responses may indicate an ongoing attack.
curl -s -w 'Response Time: %{time_total}s
' -o /dev/null 'https://<gitlab_url>/api/graphql'disclosure
漏洞利用状态
EPSS
0.05% (16% 百分位)
CISA SSVC
CVSS 向量
The recommended mitigation for CVE-2025-12664 is to immediately upgrade GitLab to version 18.10.3 or later. If upgrading is not immediately feasible, implement temporary workarounds to reduce the attack surface. These include configuring rate limiting on GraphQL endpoints to restrict the number of requests per user or IP address. Web application firewalls (WAFs) can also be configured to detect and block malicious GraphQL query patterns. Monitoring GitLab logs for unusual query activity is crucial for early detection.
Actualice GitLab a la versión 18.8.9 o posterior, 18.9.5 o posterior, o 18.10.3 o posterior para mitigar la vulnerabilidad. Esta actualización corrige una falla de validación en la cantidad especificada en la entrada que podría permitir a un usuario no autenticado causar una denegación de servicio mediante el envío de consultas GraphQL repetidas.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-12664 is a denial-of-service vulnerability in GitLab allowing unauthenticated users to cause service disruption via repeated GraphQL queries.
You are affected if you are running GitLab versions 13.0.0 through 18.10.3. Upgrade to 18.10.3 or later to mitigate the risk.
The primary fix is to upgrade GitLab to version 18.10.3 or later. Temporary workarounds include rate limiting and WAF configuration.
There is currently no public evidence of active exploitation, but the ease of exploitation suggests a potential risk.
Refer to the official GitLab security advisory for CVE-2025-12664: [https://gitlab.com/security/security-advisories/CVE-2025-12664](https://gitlab.com/security/security-advisories/CVE-2025-12664)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。