CVE-2025-1257

CVE-2025-1257 is a denial-of-service vulnerability in GitLab Enterprise Edition (EE), affecting all versions starting from 12.3 before 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2. The issue stems from the ability to manipulate specific API inputs in certain GitLab instances, leading to resource exhaustion as classified under CWE-770 (Allocation of Resources Without Limits or Throttling). It carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H), indicating medium severity with high impact on availability but no confidentiality or integrity effects.

An unauthenticated attacker accessible over the network can exploit this vulnerability with low complexity by crafting and submitting malicious API inputs, though it requires user interaction to trigger. Successful exploitation results in a denial-of-service condition, potentially disrupting GitLab services such as API responsiveness or instance stability without compromising data or escalating privileges.

Mitigation involves upgrading to GitLab EE versions 17.7.7 or later, 17.8.5 or later, or 17.9.2 or later, as indicated by the affected version ranges in the advisory. Additional details are available in the GitLab issue tracker at https://gitlab.com/gitlab-org/gitlab/-/issues/519348 and the originating HackerOne report at https://hackerone.com/reports/2984218.