{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13436", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2025-11-19T17:33:30.427Z", "datePublished": "2026-03-25T16:34:53.851Z", "dateUpdated": "2026-03-25T17:03:54.631Z"}, "containers": {"cna": {"title": "Allocation of Resources Without Limits or Throttling in GitLab", "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when handling certain CI-related inputs."}], "affected": [{"vendor": "GitLab", "product": "GitLab", "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "versions": [{"version": "13.7", "status": "affected", "lessThan": "18.8.7", "versionType": "semver"}, {"version": "18.9", "status": "affected", "lessThan": "18.9.3", "versionType": "semver"}, {"version": "18.10", "status": "affected", "lessThan": "18.10.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "cweId": "CWE-770", "type": "CWE"}]}], "references": [{"url": "https://hackerone.com/reports/3418149", "name": "HackerOne Bug Bounty Report #3418149", "tags": ["technical-description", "exploit", "permissions-required"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/581372"}, {"url": "https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "solutions": [{"lang": "en", "value": "Upgrade to versions 18.8.7, 18.9.3, 18.10.1 or above."}], "credits": [{"lang": "en", "value": "Thanks [a92847865](https://hackerone.com/a92847865) for reporting this vulnerability through our HackerOne bug bounty program", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-03-25T16:34:53.851Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T17:03:46.990746Z", "id": "CVE-2025-13436", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T17:03:54.631Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13436", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T17:03:46.990746Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T17:03:50.254Z"}}], "cna": {"title": "Allocation of Resources Without Limits or Throttling in GitLab", "credits": [{"lang": "en", "type": "finder", "value": "Thanks [a92847865](https://hackerone.com/a92847865) for reporting this vulnerability through our HackerOne bug bounty program"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "vendor": "GitLab", "product": "GitLab", "versions": [{"status": "affected", "version": "13.7", "lessThan": "18.8.7", "versionType": "semver"}, {"status": "affected", "version": "18.9", "lessThan": "18.9.3", "versionType": "semver"}, {"status": "affected", "version": "18.10", "lessThan": "18.10.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to versions 18.8.7, 18.9.3, 18.10.1 or above."}], "references": [{"url": "https://hackerone.com/reports/3418149", "name": "HackerOne Bug Bounty Report #3418149", "tags": ["technical-description", "exploit", "permissions-required"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/581372"}, {"url": "https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/"}], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when handling certain CI-related inputs."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-03-25T16:34:53.851Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13436", "state": "PUBLISHED", "dateUpdated": "2026-03-25T17:03:54.631Z", "dateReserved": "2025-11-19T17:33:30.427Z", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "datePublished": "2026-03-25T16:34:53.851Z", "assignerShortName": "GitLab"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to cause a denial of service due to excessive resource consumption when handling certain CI-related inputs."}], "id": "CVE-2025-13436", "lastModified": "2026-03-26T15:13:15.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "cve@gitlab.com", "type": "Secondary"}]}, "published": "2026-03-25T17:16:27.163", "references": [{"source": "cve@gitlab.com", "url": "https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/"}, {"source": "cve@gitlab.com", "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/581372"}, {"source": "cve@gitlab.com", "url": "https://hackerone.com/reports/3418149"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "cve@gitlab.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[13.7,18.8.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[18.9,18.9.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[18.10,18.10.1)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "GitLab", "source": "cna", "vendor": "GitLab"}, "product": "gitlab", "vendor": "gitlab"}], "analysis": {"en": {"generated_at": "2026-03-25T17:21:07.939921+00:00", "value": {"mitigation_remediation": ["Verify the current GitLab version and compare it against the affected version range.", "If the system is running an affected version, upgrade immediately to 18.8.7, 18.9.3, 18.10.1, or the latest available release.", "After upgrading, validate that CI processes no longer trigger excessive resource usage.", "If an upgrade cannot be performed right away, monitor resource consumption during CI runs and apply additional throttling as a temporary measure."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "GitLab Community Edition and Enterprise Edition versions starting from 13.7 through the pre\u201118.8.7 builds, 18.9 before 18.9.3, and 18.10 before 18.10.1 are impacted. The recommended fix is to upgrade to 18.8.7, 18.9.3, 18.10.1, or any later release that includes the remediation.", "description_and_impact": "An allocation of resources without limits vulnerability in GitLab allows an authenticated user to exhaust system resources when processing specific CI inputs, leading to a denial of service. The weakness corresponds to excessive resource consumption, which can degrade availability for all users. This is a classic case of CWE-770, where a program fails to control resource usage properly.", "risk_and_exploitability": "The CVSS score is 6.5, indicating moderate severity, and there is no EPSS score available. The vulnerability is not listed in the CISA KEV catalog, meaning no confirmed widespread exploitation is known. The attack requires authentication, so an attacker must first gain valid credentials to trigger the resource exhaustion and cause the denial of service."}}}}, "created": "2026-03-25T21:46:47.385816+00:00", "updated": "2026-03-26T11:34:30.172658+00:00", "vendors": ["gitlab", "gitlab$PRODUCT$gitlab"]}