CVE-2025-1257
Published: 13 March 2025
Summary
CVE-2025-1257 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Gitlab Gitlab. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly implements denial-of-service protections at API entry points to prevent resource exhaustion from manipulated inputs.
Protects resource availability by limiting allocations and monitoring for exhaustion caused by malicious API inputs.
Validates specific API inputs to block malformed data leading to unbounded resource allocation and DoS.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remotely exploitable DoS in a public-facing GitLab application via malicious API inputs causing resource exhaustion (CWE-770), directly mapping to T1190 for exploiting public-facing applications and T1499.004 for application/system exploitation leading to denial of service.
NVD Description
An issue was discovered in GitLab EE affecting all versions starting with 12.3 before 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2. A vulnerability in certain GitLab instances could allow an attacker to cause a denial of service…
more
condition by manipulating specific API inputs.
Deeper analysisAI
CVE-2025-1257 is a denial-of-service vulnerability in GitLab Enterprise Edition (EE), affecting all versions starting from 12.3 before 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2. The issue stems from the ability to manipulate specific API inputs in certain GitLab instances, leading to resource exhaustion as classified under CWE-770 (Allocation of Resources Without Limits or Throttling). It carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H), indicating medium severity with high impact on availability but no confidentiality or integrity effects.
An unauthenticated attacker accessible over the network can exploit this vulnerability with low complexity by crafting and submitting malicious API inputs, though it requires user interaction to trigger. Successful exploitation results in a denial-of-service condition, potentially disrupting GitLab services such as API responsiveness or instance stability without compromising data or escalating privileges.
Mitigation involves upgrading to GitLab EE versions 17.7.7 or later, 17.8.5 or later, or 17.9.2 or later, as indicated by the affected version ranges in the advisory. Additional details are available in the GitLab issue tracker at https://gitlab.com/gitlab-org/gitlab/-/issues/519348 and the originating HackerOne report at https://hackerone.com/reports/2984218.
Details
- CWE(s)