6.5 CVE-2025-13078
Enriched by CISA
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when processing certain webhook configuration inputs.
https://nvd.nist.gov/vuln/detail/CVE-2025-13078
Categories
CWE-1284 : Improper Validation of Specified Quantity in Input
The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Chain: Javascript engine code does not perform a length check (CWE-1284) leading to integer overflow (CWE-190) causing allocation of smaller buffer than expected (CWE-131) resulting in a heap-based buffer overflow (CWE-122) Chain: Python library does not limit the resources used to process images that specify a very large number of bands (CWE-1284), leading to excessive memory consumption (CWE-789) or an integer overflow (CWE-190). lack of validation of length field leads to infinite loop lack of validation of string length fields allows memory consumption or buffer over-read
References
cve@gitlab.com
| https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-rel... Release Notes Vendor Advisory |
| https://gitlab.com/gitlab-org/gitlab/-/work_items/580488 Broken Link |
| https://hackerone.com/reports/3413704 Permissions Required |
AFFECTED (from MITRE)
| Vendor | Product | Versions |
|---|---|---|
| GitLab | GitLab |
|
| © 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. | ||
CPE
| cpe | start | end |
|---|---|---|
| Configuration 1 | ||
| cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* | >= 16.10.0 | < 18.8.7 |
| cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* | >= 16.10.0 | < 18.8.7 |
| cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* | >= 18.9.0 | < 18.9.3 |
| cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* | >= 18.9.0 | < 18.9.3 |
| cpe:2.3:a:gitlab:gitlab:18.10.0:*:*:*:community:*:*:* | ||
| cpe:2.3:a:gitlab:gitlab:18.10.0:*:*:*:enterprise:*:*:* | ||
REMEDIATION
EXPLOITS
Exploit-db.com
| id | description | date | |
|---|---|---|---|
| No known exploits | |||
POC Github
| Url |
|---|
| No known exploits |
Other Nist (github, ...)
| Url |
|---|
| No known exploits |
CAPEC
Common Attack Pattern Enumerations and Classifications
| id | description | severity |
|---|---|---|
| No entry | ||
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
