CVE-2025-13929
Published: 11 March 2026
Summary
CVE-2025-13929 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Gitlab Gitlab. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2025-13929 is a denial-of-service vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE), affecting all versions from 10.0 prior to 18.7.6, 18.8 prior to 18.8.6, and 18.9 prior to 18.9.2. The flaw enables an unauthenticated user to trigger a DoS by issuing specially crafted requests to repository archive endpoints under certain conditions. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-770 (Allocation of Resources Without Limits or Throttling).
An unauthenticated attacker with network access can exploit this vulnerability with low attack complexity, no required privileges, and no user interaction. Exploitation causes high-impact disruption to service availability on the affected GitLab instance, without affecting confidentiality or integrity.
GitLab has remediated the issue via patches in versions 18.7.6, 18.8.6, and 18.9.2, as detailed in the March 11, 2026 patch release notes for 18.9.2. Administrators should prioritize upgrading to these fixed versions; further technical details are available in the associated GitLab issue tracker (gitlab.com/gitlab-org/gitlab/-/issues/582738) and HackerOne report (hackerone.com/reports/3441004).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208575
Vulnerability details
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by issuing specially crafted requests…
more
to repository archive endpoints under certain conditions.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated network exploitation of public GitLab web endpoints directly matches T1190; resulting availability impact via application flaw matches T1499.004.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the specific GitLab flaw allowing DoS via specially crafted repository archive requests by requiring timely patching to fixed versions.
Prevents denial-of-service events, including resource exhaustion from unauthenticated crafted requests to repository endpoints.
Controls resource allocation to mitigate CWE-770 unlimited consumption triggered by specially crafted requests without throttling.