Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by issuing specially crafted requests to repository archive endpoints under certain conditions.
Published: 2026-03-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

GitLab’s repository archive endpoint processes specially crafted requests that can cause resource exhaustion, enabling an unauthenticated attacker to trigger a denial‑of‑service (DoS). The flaw stems from insufficient limits on resource allocation during archive generation, classified as CWE‑770. Once exploited, the affected system can become unresponsive, denying legitimate users access to the platform. The vulnerability affects all GitLab Community Edition (CE) and Enterprise Edition (EE) releases from v10.0 up to but excluding v18.7.6, v18.8.6, and v18.9.2, meaning that the majority of installations older than these patches are at risk.

Affected Systems

All instances of GitLab CE and EE that have not applied the corrective upgrade are affected. Specifically, every released version between 10.0 and 18.9.1 is impacted. GitLab CE and EE deployments must evaluate whether they are running a vulnerable version and apply the patch accordingly.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, and while the EPSS score is below 1%, indicating a low current exploit probability, the lacking presence in the CISA KEV catalog does not preclude potential use by attackers. Because the bug can be triggered by unauthenticated web requests, it is remotely exploitable over the network. Successful exploitation results in service disruption, making this a high priority to remediate.

Generated by OpenCVE AI on March 17, 2026 at 14:43 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.7.6, 18.8.6, 18.9.2 or above.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading to GitLab version 18.7.6, 18.8.6, 18.9.2 or later.

Generated by OpenCVE AI on March 17, 2026 at 14:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by issuing specially crafted requests to repository archive endpoints under certain conditions.
Title Allocation of Resources Without Limits or Throttling in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-770
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-03-12T16:20:28.038Z

Reserved: 2025-12-02T21:33:14.522Z

Link: CVE-2025-13929

cve-icon Vulnrichment

Updated: 2026-03-12T15:42:18.724Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T16:16:19.043

Modified: 2026-03-13T12:33:51.213

Link: CVE-2025-13929

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:44Z

Weaknesses