Cross-site Request Forgery (CSRF)

Overview @apollo/sandbox is a This repo hosts the source for Apollo Studio's Embeddable Sandbox Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via missing origin validation in the window.postMessage process. An attacker can execute unauthorized GraphQL queries...

CVE-2025-11042

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service DoS condition while using specific GraphQL queries...

CVE-2025-11042 Allocation of Resources Without Limits or Throttling in GitLab

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service DoS condition while using specific GraphQL queries...

CVE-2025-11042 Allocation of Resources Without Limits or Throttling in GitLab

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service DoS condition while using specific GraphQL queries...

CVE-2025-11042 Allocation of Resources Without Limits or Throttling in GitLab

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service DoS condition while using specific GraphQL queries...

CVE-2025-11042

Summary (CVE-2025-11042) : GitLab CE/ EE suffers a DoS-style flaw where specific GraphQL queries can cause uncontrolled CPU consumption across affected versions: 17.2–before 18.2.7, 18.3–before 18.3.3, and 18.4–before 18.4.1. The issue is linked to resource management during GraphQL handling and ...

CVE-2025-10867

An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to create a denial-of-service condition by exploiting an unprotected GraphQL API through repeated requests...

CVE-2025-10867 Allocation of Resources Without Limits or Throttling in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to create a denial-of-service condition by exploiting an unprotected GraphQL API through repeated requests...

CVE-2025-10867 Allocation of Resources Without Limits or Throttling in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to create a denial-of-service condition by exploiting an unprotected GraphQL API through repeated requests...

CVE-2025-10867

Removed by vendor...

GitLab 安全漏洞

GitLab is an open source, end-to-end software development platform from GitLab, Inc. with built-in version control, issue tracking, code review, CI/CD continuous integration and continuous delivery, and other features. A security vulnerability exists in GitLab CE and EE versions 17.2 to before...

PT-2025-39623

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 18.1 through 18.2.6 GitLab CE/EE versions 18.3 through 18.3.2 GitLab CE/EE versions 18.4 through 18.4.0 Description An authenticated user could create a denial-of-service condition by exploiting an unprotected GraphQL API...

GitLab 安全漏洞

GitLab is an open source, end-to-end software development platform from GitLab, Inc. with built-in version control, issue tracking, code review, CI/CD Continuous Integration and Continuous Delivery, and other features. A security vulnerability exists in GitLab CE and EE versions prior to 18.2.7,...

FreeBSD : Gitlab -- Vulnerabilities (477fdc04-9aa2-11f0-961b-2cf05da270f3)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 477fdc04-9aa2-11f0-961b-2cf05da270f3 advisory. Gitlab reports: Denial of Service issue when uploading specifically crafted JSON files impacts...

PT-2025-39625

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 17.2 through 18.2.6 GitLab CE/EE versions 18.3 through 18.3.2 GitLab CE/EE versions 18.4 through 18.4.0 Description The software contains an issue that allows an attacker to cause uncontrolled CPU consumption, potentially...

Gitlab -- Vulnerabilities

Gitlab reports: Denial of Service issue when uploading specifically crafted JSON files impacts GitLab CE/EE Denial of Service issue bypassing query complexity limits impacts GitLab CE/EE Information disclosure issue in virtual registery configuration for low privileged users impacts GitLab CE/EE...

Query Depth Restriction Bypass

@escape.tech/graphql-armor-max-depth is vulnerable to query depth restriction bypass. The vulnerability is due to the ignoreIntrospection option being enabled by default, which allows an attacker to bypass the max-depth restriction by naming a query or fragment schema...

Allocation Of Resources Without Limits

@escape.tech/graphql-armor-max-depth is vulnerable to Allocation Of Resources Without Limits. The vulnerability is due to improper introspection handling because when ignoreIntrospection is enabled the default, an attacker can name a query/fragment schema to evade max-depth checks and craft...

SUSE CVE-2025-59358

The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service...

Malicious code in @operato/graphql (npm)

The package was compromised and malicious code added. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 384e37db905cd0ec8af48ff1600e883c67419251b1fd354571b151471105d4d3 Any computer that has this package installed or running should be considered fully compromised. All...