GitLab has fixed an issue in GitLab CE and EE affecting all releases from 18.5 up to, but not including, 18.9.7, 18.10 up to, but not including, 18.10.6, and 18.11 up to, but not including, 18.11.3. The flaw allowed an unauthenticated user to trigger a denial of service by sending specially crafted payloads to specific API endpoints. The vulnerability stems from improper validation of a quantity parameter, leading to resource exhaustion or a crash. Because the affected area is an API, an attacker could halt continuous integration pipelines or temporarily bring the whole instance to a halt for the user base that relies on the service.

The problem impacts GitLab products supplied by GitLab Inc. Clients running GitLab Community Edition or Enterprise Edition in any of the following versions are affected: 18.5 through 18.9.6, 18.10 through 18.10.5, and 18.11 through 18.11.2. All other versions after the specified patch releases are considered safe.

The CVSS score of 7.5 marks the flaw as high severity. No EPSS score is available, and it is not listed in CISA KEV, indicating no known widespread exploitation at the time of this report. The likely attack vector is via unauthenticated HTTP requests to the vulnerable API endpoints; an attacker only needs to craft the quantity field in a payload that is not properly validated. Once the request is processed, the server may become unresponsive or crash, leading to a denial of service that affects all users of the instance.