CVE-2025-14869

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted payloads on certain API endpoints.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

GitLab CE/EE >= 18.5, < 18.9.7

GitLab CE/EE >= 18.10, < 18.10.6

GitLab CE/EE >= 18.11, < 18.11.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2025-14869 Proof of Concept (DoS)
# Target: GitLab CE/EE < 18.11.3
# Description: Sends a crafted payload to a vulnerable API endpoint.

def trigger_dos(target_url):
    # The specific endpoint needs to be identified based on the advisory details
    endpoint = f"{target_url}/api/v4/vulnerable_endpoint"
    
    # Crafted payload intended to trigger the denial of service
    malicious_payload = {
        "field": "<crafted_data_to_crash_service>"
    }

    headers = {
        "Content-Type": "application/json"
    }

    try:
        print(f"[+] Sending payload to {endpoint}...")
        response = requests.post(endpoint, json=malicious_payload, headers=headers, timeout=5)
        
        if response.status_code in [500, 502, 503]:
            print(f"[!] Potential DoS triggered. Server returned: {response.status_code}")
        else:
            print(f"[-] Request returned status: {response.status_code}")
            
    except requests.exceptions.RequestException as e:
        print(f"[!] Request failed (Service potentially down): {e}")

if __name__ == "__main__":
    target = "http://localhost" # Replace with actual target
    trigger_dos(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14869
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14869
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14869/
[4] VulDB https://vuldb.com/cve/CVE-2025-14869
[5] https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/
[6] https://gitlab.com/gitlab-org/gitlab/-/work_items/584489
[7] https://hackerone.com/reports/3447146

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14869", "sourceIdentifier": "[email protected]", "published": "2026-05-14T06:16:20.757", "lastModified": "2026-05-14T16:20:43.240", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted payloads on certain API endpoints."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1284"}]}], "references": [{"url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/", "source": "[email protected]"}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/584489", "source": "[email protected]"}, {"url": "https://hackerone.com/reports/3447146", "source": "[email protected]"}]}}