CVE-2025-10867

An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to create a denial-of-service condition by exploiting an unprotected GraphQL API through repeated requests...

CVE-2025-10867 Allocation of Resources Without Limits or Throttling in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to create a denial-of-service condition by exploiting an unprotected GraphQL API through repeated requests...

CVE-2025-10867 Allocation of Resources Without Limits or Throttling in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1 that could have allowed an authenticated user to create a denial-of-service condition by exploiting an unprotected GraphQL API through repeated requests...

CVE-2025-10867

Removed by vendor...

GitLab 安全漏洞

GitLab is an open source, end-to-end software development platform from GitLab, Inc. with built-in version control, issue tracking, code review, CI/CD Continuous Integration and Continuous Delivery, and other features. A security vulnerability exists in GitLab CE and EE versions prior to 18.2.7,...

GitLab 安全漏洞

GitLab is an open source, end-to-end software development platform from GitLab, Inc. with built-in version control, issue tracking, code review, CI/CD continuous integration and continuous delivery, and other features. A security vulnerability exists in GitLab CE and EE versions 17.2 to before...

PT-2025-39623

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 18.1 through 18.2.6 GitLab CE/EE versions 18.3 through 18.3.2 GitLab CE/EE versions 18.4 through 18.4.0 Description An authenticated user could create a denial-of-service condition by exploiting an unprotected GraphQL API...

FreeBSD : Gitlab -- Vulnerabilities (477fdc04-9aa2-11f0-961b-2cf05da270f3)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 477fdc04-9aa2-11f0-961b-2cf05da270f3 advisory. Gitlab reports: Denial of Service issue when uploading specifically crafted JSON files impacts...

PT-2025-39625

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 17.2 through 18.2.6 GitLab CE/EE versions 18.3 through 18.3.2 GitLab CE/EE versions 18.4 through 18.4.0 Description The software contains an issue that allows an attacker to cause uncontrolled CPU consumption, potentially...

Gitlab -- Vulnerabilities

Gitlab reports: Denial of Service issue when uploading specifically crafted JSON files impacts GitLab CE/EE Denial of Service issue bypassing query complexity limits impacts GitLab CE/EE Information disclosure issue in virtual registery configuration for low privileged users impacts GitLab CE/EE...

Query Depth Restriction Bypass

@escape.tech/graphql-armor-max-depth is vulnerable to query depth restriction bypass. The vulnerability is due to the ignoreIntrospection option being enabled by default, which allows an attacker to bypass the max-depth restriction by naming a query or fragment schema...

Allocation Of Resources Without Limits

@escape.tech/graphql-armor-max-depth is vulnerable to Allocation Of Resources Without Limits. The vulnerability is due to improper introspection handling because when ignoreIntrospection is enabled the default, an attacker can name a query/fragment schema to evade max-depth checks and craft...

SUSE CVE-2025-59358

The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service...

Malicious code in @operato/graphql (npm)

The package was compromised and malicious code added. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 384e37db905cd0ec8af48ff1600e883c67419251b1fd354571b151471105d4d3 Any computer that has this package installed or running should be considered fully compromised. All...

Chaos Mesh Critical GraphQL Flaws Enable RCE and Full Kubernetes Cluster Takeover

Cybersecurity researchers have disclosed multiple critical security vulnerabilities in Chaos Mesh that, if successfully exploited, could lead to cluster takeover in Kubernetes environments. "Attackers need only minimal in-cluster network access to exploit these vulnerabilities, execute the...

ai.ancf.lmos-router:lmos-router-hybrid-spring-boot-starter (=0.28.0), ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (=0.28.0) +18121 more potentially affected by CVE-2025-41249 via org.springframework:spring-core (>=6.0.0 <=6.1.21)

org.springframework:spring-core MAVEN version =6.0.0, =0.1.1, =0.1.1, =0.1.1, =0.1.1, =0.0.4, =0.1.0, =0.1.0, =0.12.1 - ai.djl.spring:djl-spring-boot-starter-autoconfigure =0.26 - ai.djl.spring:djl-spring-boot-starter-mxnet-auto =0.26 - ai.djl.spring:djl-spring-boot-starter-mxnet-linux-x8664 =0.2...

Malicious code in graphql-sequelize-teselagen (npm)

The package was compromised and malicious code added. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 61bd0f16d8ac09ad8d170113bc0bc5ed2cbba4f9d406fa9a852cface0b40be37 Any computer that has this package installed or running should be considered fully compromised. All...

GHSA-JJ4J-X5WW-CWH9 Before action, Ash's hooks may execute in certain scenarios despite a request being forbidden

Summary Certain bulk action calls with a beforetransaction hook and no aftertransaction hook, will call the beforetransaction hook before authorization is checked and a Forbidden error is returned, when called as a bulk action. The impact is that a malicious user could cause a beforetransaction t...

Chaos Mesh's Chaos Controller Manager is Missing Authentication for Critical Function

The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service...

CVE-2025-59358 Denial of Service via Unauthorized Access to Chaos Mesh debugging server

The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service...