{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13078", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2025-11-12T16:33:36.271Z", "datePublished": "2026-03-25T16:35:03.858Z", "dateUpdated": "2026-03-25T17:02:57.718Z"}, "containers": {"cna": {"title": "Improper Validation of Specified Quantity in Input in GitLab", "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when processing certain webhook configuration inputs."}], "affected": [{"vendor": "GitLab", "product": "GitLab", "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "versions": [{"version": "16.10", "status": "affected", "lessThan": "18.8.7", "versionType": "semver"}, {"version": "18.9", "status": "affected", "lessThan": "18.9.3", "versionType": "semver"}, {"version": "18.10", "status": "affected", "lessThan": "18.10.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-1284: Improper Validation of Specified Quantity in Input", "cweId": "CWE-1284", "type": "CWE"}]}], "references": [{"url": "https://hackerone.com/reports/3413704", "name": "HackerOne Bug Bounty Report #3413704", "tags": ["technical-description", "exploit", "permissions-required"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/580488"}, {"url": "https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "solutions": [{"lang": "en", "value": "Upgrade to versions 18.8.7, 18.9.3, 18.10.1 or above."}], "credits": [{"lang": "en", "value": "Thanks [lucky_luke](https://hackerone.com/lucky_luke) for reporting this vulnerability through our HackerOne bug bounty program", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-03-25T16:35:03.858Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T17:02:49.827497Z", "id": "CVE-2025-13078", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T17:02:57.718Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13078", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T17:02:49.827497Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T17:02:53.960Z"}}], "cna": {"title": "Improper Validation of Specified Quantity in Input in GitLab", "credits": [{"lang": "en", "type": "finder", "value": "Thanks [lucky_luke](https://hackerone.com/lucky_luke) for reporting this vulnerability through our HackerOne bug bounty program"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "vendor": "GitLab", "product": "GitLab", "versions": [{"status": "affected", "version": "16.10", "lessThan": "18.8.7", "versionType": "semver"}, {"status": "affected", "version": "18.9", "lessThan": "18.9.3", "versionType": "semver"}, {"status": "affected", "version": "18.10", "lessThan": "18.10.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to versions 18.8.7, 18.9.3, 18.10.1 or above."}], "references": [{"url": "https://hackerone.com/reports/3413704", "name": "HackerOne Bug Bounty Report #3413704", "tags": ["technical-description", "exploit", "permissions-required"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/580488"}, {"url": "https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/"}], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when processing certain webhook configuration inputs."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1284", "description": "CWE-1284: Improper Validation of Specified Quantity in Input"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-03-25T16:35:03.858Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13078", "state": "PUBLISHED", "dateUpdated": "2026-03-25T17:02:57.718Z", "dateReserved": "2025-11-12T16:33:36.271Z", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "datePublished": "2026-03-25T16:35:03.858Z", "assignerShortName": "GitLab"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when processing certain webhook configuration inputs."}], "id": "CVE-2025-13078", "lastModified": "2026-03-26T15:13:15.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "cve@gitlab.com", "type": "Secondary"}]}, "published": "2026-03-25T17:16:26.963", "references": [{"source": "cve@gitlab.com", "url": "https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/"}, {"source": "cve@gitlab.com", "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/580488"}, {"source": "cve@gitlab.com", "url": "https://hackerone.com/reports/3413704"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1284"}], "source": "cve@gitlab.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[16.10,18.8.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[18.9,18.9.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[18.10,18.10.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "inferred", "scores": [{"score": 100.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "GitLab", "source": "cna", "vendor": "GitLab"}, "product": "gitlab", "vendor": "gitlab"}], "analysis": {"en": {"generated_at": "2026-03-25T17:20:38.512444+00:00", "value": {"mitigation_remediation": ["Upgrade to GitLab 18.8.7, 18.9.3, or 18.10.1 or any newer release as listed in the vendor\u2019s security advisory."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via resource exhaustion"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts GitLab Community Edition and Enterprise Edition. All versions from 16.10 up through 18.10.1 that have not been upgraded to the four specific patch releases are susceptible. Users running the indicated build numbers should verify whether they are on 18.8.7, 18.9.3, or 18.10.1 or a newer patch level.", "description_and_impact": "GitLab suffered from improper validation of input quantity for webhook configuration, allowing an authenticated user to supply an excessively large value that causes the server to consume disproportionate resources and become unresponsive. The flaw is rooted in CWE\u20111284 and can lead to availability loss for the affected instance. Affected releases span from GitLab 16.10 onwards until just before the patches mentioned. Once triggered, the denial of service could halt normal operations until the resource consumption subsides or the instance is restarted.", "risk_and_exploitability": "The CVSS base score is 6.5, reflecting a moderate risk if an attacker gains account access. Because the weakness requires the attacker to be authenticated on the system, the attack vector is limited to legitimate users or those who have compromised credentials. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog, implying no documented exploitation yet. Nonetheless, the lack of input validation creates a clear path to affect the availability of the entire GitLab instance by delivering a crafted webhook configuration."}}}}, "created": "2026-03-25T21:46:46.481971+00:00", "updated": "2026-03-26T11:34:29.298550+00:00", "vendors": ["gitlab", "gitlab$PRODUCT$gitlab"]}