Cyber Resilience

CVE-2023-6386

MediumDDoS

Published: 05 February 2025

Published
05 February 2025
Modified
05 August 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0283 86.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-6386 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Gitlab Gitlab. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 13.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2023-6386 is a denial of service vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). It affects all versions from 15.11 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2. The issue enables an attacker to spike the GitLab instance's resource usage, resulting in service degradation. It carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-770 (Allocation of Resources Without Limits or Throttling).

An authenticated attacker with low privileges, such as a project member, can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation causes significant resource exhaustion on the GitLab instance, leading to high-impact denial of service through degraded performance or unavailability, while having no effect on confidentiality or integrity.

Mitigation requires upgrading to GitLab 16.6.7, 16.7.5, 16.8.2, or later versions, where the vulnerability is fixed. Additional details are available in the GitLab security issue tracker at https://gitlab.com/gitlab-org/gitlab/-/issues/433147 and the corresponding HackerOne disclosure report at https://hackerone.com/reports/2261581.

EU & UK References

Vulnerability details

A denial of service vulnerability was identified in GitLab CE/EE, affecting all versions from 15.11 prior to 16.6.7, 16.7 prior to 16.7.5 and 16.8 prior to 16.8.2 which allows an attacker to spike the GitLab instance resource usage resulting in…

more

service degradation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables authenticated remote resource exhaustion DoS via application exploitation (CWE-770).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1725Same product: Gitlab Gitlab
CVE-2024-2878Same product: Gitlab Gitlab
CVE-2025-1257Same product: Gitlab Gitlab
CVE-2025-13929Same product: Gitlab Gitlab
CVE-2026-1102Same product: Gitlab Gitlab
CVE-2025-13927Same product: Gitlab Gitlab
CVE-2026-1456Same product: Gitlab Gitlab
CVE-2025-12664Same product: Gitlab Gitlab
CVE-2026-0958Same product: Gitlab Gitlab
CVE-2026-3988Same product: Gitlab Gitlab

Affected Assets

gitlab
gitlab
15.11.0 — 16.6.7 · 15.11.0 — 16.6.7 · 16.7.0 — 16.7.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-5 directly protects against denial-of-service vulnerabilities like CVE-2023-6386 by limiting the effects of resource exhaustion attacks.

prevent

SC-6 ensures resource availability by enforcing allocation limits and throttling, addressing the CWE-770 root cause of unbounded resource usage in GitLab.

prevent

SI-2 mandates timely flaw remediation through patching, directly mitigating CVE-2023-6386 by upgrading to fixed GitLab versions.

References