{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3922", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2025-04-24T13:02:02.717Z", "datePublished": "2026-04-22T16:05:31.304Z", "dateUpdated": "2026-04-22T17:28:16.879Z"}, "containers": {"cna": {"title": "Allocation of Resources Without Limits or Throttling in GitLab", "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.4 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service by overwhelming system resources under certain conditions due to insufficient resource allocation limits in the GraphQL API."}], "affected": [{"vendor": "GitLab", "product": "GitLab", "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "versions": [{"version": "12.4", "status": "affected", "lessThan": "18.9.6", "versionType": "semver"}, {"version": "18.10", "status": "affected", "lessThan": "18.10.4", "versionType": "semver"}, {"version": "18.11", "status": "affected", "lessThan": "18.11.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "cweId": "CWE-770", "type": "CWE"}]}], "references": [{"url": "https://hackerone.com/reports/3098035", "name": "HackerOne Bug Bounty Report #3098035", "tags": ["technical-description", "exploit", "permissions-required"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/537422"}, {"url": "https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "solutions": [{"lang": "en", "value": "Upgrade to versions 18.9.6, 18.10.4, 18.11.1 or above."}], "credits": [{"lang": "en", "value": "Thanks [pwnie](https://hackerone.com/pwnie) for reporting this vulnerability through our HackerOne bug bounty program", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-04-22T16:05:31.304Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T17:27:36.090684Z", "id": "CVE-2025-3922", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:28:16.879Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3922", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T17:27:36.090684Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T17:27:58.570Z"}}], "cna": {"title": "Allocation of Resources Without Limits or Throttling in GitLab", "credits": [{"lang": "en", "type": "finder", "value": "Thanks [pwnie](https://hackerone.com/pwnie) for reporting this vulnerability through our HackerOne bug bounty program"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "vendor": "GitLab", "product": "GitLab", "versions": [{"status": "affected", "version": "12.4", "lessThan": "18.9.6", "versionType": "semver"}, {"status": "affected", "version": "18.10", "lessThan": "18.10.4", "versionType": "semver"}, {"status": "affected", "version": "18.11", "lessThan": "18.11.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to versions 18.9.6, 18.10.4, 18.11.1 or above."}], "references": [{"url": "https://hackerone.com/reports/3098035", "name": "HackerOne Bug Bounty Report #3098035", "tags": ["technical-description", "exploit", "permissions-required"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/537422"}, {"url": "https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/"}], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.4 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service by overwhelming system resources under certain conditions due to insufficient resource allocation limits in the GraphQL API."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-04-22T16:05:31.304Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3922", "state": "PUBLISHED", "dateUpdated": "2026-04-22T17:28:16.879Z", "dateReserved": "2025-04-24T13:02:02.717Z", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "datePublished": "2026-04-22T16:05:31.304Z", "assignerShortName": "GitLab"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.4 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service by overwhelming system resources under certain conditions due to insufficient resource allocation limits in the GraphQL API."}], "id": "CVE-2025-3922", "lastModified": "2026-04-22T21:23:52.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "cve@gitlab.com", "type": "Secondary"}]}, "published": "2026-04-22T17:16:33.123", "references": [{"source": "cve@gitlab.com", "url": "https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/"}, {"source": "cve@gitlab.com", "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/537422"}, {"source": "cve@gitlab.com", "url": "https://hackerone.com/reports/3098035"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "cve@gitlab.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[12.4,18.9.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[18.10,18.10.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[18.11,18.11.1)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "GitLab", "source": "cna", "vendor": "GitLab"}, "product": "gitlab", "vendor": "gitlab"}], "analysis": {"en": {"generated_at": "2026-04-22T18:20:20.813967+00:00", "value": {"mitigation_remediation": ["Upgrade GitLab to version 18.9.6, 18.10.4, 18.11.1 or any later release as stated by the vendor.", "Restrict the use of the GraphQL API to trusted users or apply server\u2011side throttling to limit request rates while a patch is applied.", "Monitor system and application logs for sudden increases in GraphQL activity that could indicate an attempted resource exhaustion attack."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via resource exhaustion"}, "threat_synthesis": {"affected_systems": "All GitLab installations from version 12.4 through 18.9.5, 18.10.x before 18.10.4, and 18.11.x before 18.11.1 are vulnerable. The vendor recommends upgrading to 18.9.6, 18.10.4, 18.11.1 or any later release to mitigate the issue.", "description_and_impact": "GitLab CE and Enterprise Edition contain a flaw that allows an authenticated user to send specially crafted GraphQL queries that consume excessive system resources, potentially leading to a denial of service. The weakness is identified as CWE-770, which highlights the lack of resource allocation limits.", "risk_and_exploitability": "With a CVSS score of 6.5, the vulnerability poses a moderate risk. The EPSS score is not available and the vulnerability has not been listed in the CISA KEV catalog. Exploitation requires an authenticated user with access to the GraphQL API, and the attacker can trigger resource exhaustion that may bring the GitLab instance or hosting server offline."}}}}, "created": "2026-04-22T18:30:23.752609+00:00", "updated": "2026-04-22T19:15:24.272733+00:00", "vendors": ["gitlab", "gitlab$PRODUCT$gitlab"]}