CVE-2025-14870: Allocation of Resources Without Limits or Throttling in GitLab

Q: What is the severity of CVE-2025-14870?

CVE-2025-14870 has been classified as a denial of service vulnerability.

Q: Which versions of GitLab are affected by CVE-2025-14870?

CVE-2025-14870 affects GitLab versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3.

Q: How do I fix CVE-2025-14870?

To fix CVE-2025-14870, you should upgrade to GitLab version 18.9.7, 18.10.6, or 18.11.3 or later.

Q: What does CVE-2025-14870 exploit?

CVE-2025-14870 exploits the allocation of resources without limits or throttling, potentially allowing denial of service.

Q: Is CVE-2025-14870 an authenticated or unauthenticated vulnerability?

CVE-2025-14870 can be exploited by unauthenticated users.

Published May 14, 2026

Updated

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted JSON payloads due to insufficient input validation.

Affected Software

8 affected components

GitLab GitLab CE>=18.5<18.9.7, >=18.10<18.10.6, >=18.11<18.11.3

GitLab GitLab EE>=18.5<18.9.7, >=18.10<18.10.6, >=18.11<18.11.3

GitLab GitLab>=18.5.0<18.9.7

GitLab GitLab>=18.10.0<18.10.6

GitLab GitLab>=18.11.0<18.11.3

Remediation

Information

Upgrade to versions 18.9.7, 18.10.6, 18.11.3 or above.

Event History

May 14, 2026

CVE Published

via MITRE·05:37 AM

Data Sourced

via MITRE·05:37 AM

RemedyDescriptionSeverityWeakness

Data Sourced

via NVD·06:16 AM

DescriptionSeverityWeaknessAffected Software

Frequently Asked Questions

What is the severity of CVE-2025-14870?

CVE-2025-14870 has been classified as a denial of service vulnerability.

Which versions of GitLab are affected by CVE-2025-14870?

CVE-2025-14870 affects GitLab versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3.

How do I fix CVE-2025-14870?