{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14513", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2025-12-11T06:33:37.961Z", "datePublished": "2026-03-11T16:05:30.683Z", "dateUpdated": "2026-03-11T19:32:33.904Z"}, "containers": {"cna": {"title": "Improper Validation of Specified Quantity in Input in GitLab", "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service condition due to improper input validation when processing specially crafted JSON payloads in the protected branches API."}], "affected": [{"vendor": "GitLab", "product": "GitLab", "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "versions": [{"version": "16.11", "status": "affected", "lessThan": "18.7.6", "versionType": "semver"}, {"version": "18.8", "status": "affected", "lessThan": "18.8.6", "versionType": "semver"}, {"version": "18.9", "status": "affected", "lessThan": "18.9.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-1284: Improper Validation of Specified Quantity in Input", "cweId": "CWE-1284", "type": "CWE"}]}], "references": [{"url": "https://hackerone.com/reports/3452477", "name": "HackerOne Bug Bounty Report #3452477", "tags": ["technical-description", "exploit", "permissions-required"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/583718"}, {"url": "https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "solutions": [{"lang": "en", "value": "Upgrade to versions 18.7.6, 18.8.6, 18.9.2 or above."}], "credits": [{"lang": "en", "value": "Thanks [a92847865](https://hackerone.com/a92847865) for reporting this vulnerability through our HackerOne bug bounty program", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-03-11T16:05:30.683Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T19:31:51.194051Z", "id": "CVE-2025-14513", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T19:32:33.904Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14513", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2025-12-11T06:33:37.961Z", "datePublished": "2026-03-11T16:05:30.683Z", "dateUpdated": "2026-03-11T19:32:33.904Z"}, "containers": {"cna": {"title": "Improper Validation of Specified Quantity in Input in GitLab", "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service condition due to improper input validation when processing specially crafted JSON payloads in the protected branches API."}], "affected": [{"vendor": "GitLab", "product": "GitLab", "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "versions": [{"version": "16.11", "status": "affected", "lessThan": "18.7.6", "versionType": "semver"}, {"version": "18.8", "status": "affected", "lessThan": "18.8.6", "versionType": "semver"}, {"version": "18.9", "status": "affected", "lessThan": "18.9.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-1284: Improper Validation of Specified Quantity in Input", "cweId": "CWE-1284", "type": "CWE"}]}], "references": [{"url": "https://hackerone.com/reports/3452477", "name": "HackerOne Bug Bounty Report #3452477", "tags": ["technical-description", "exploit", "permissions-required"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/583718"}, {"url": "https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "solutions": [{"lang": "en", "value": "Upgrade to versions 18.7.6, 18.8.6, 18.9.2 or above."}], "credits": [{"lang": "en", "value": "Thanks [a92847865](https://hackerone.com/a92847865) for reporting this vulnerability through our HackerOne bug bounty program", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-03-11T16:05:30.683Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14513", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T19:31:51.194051Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T19:32:25.516Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "A7913596-C173-4DB6-ADC6-61AB59A7513C", "versionEndExcluding": "18.7.6", "versionStartIncluding": "16.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "60B87D4E-DB42-4B3D-845D-9E15654EF082", "versionEndExcluding": "18.7.6", "versionStartIncluding": "16.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "B703CB01-7F6D-4D6E-AE88-CF2F8012CA27", "versionEndExcluding": "18.8.6", "versionStartIncluding": "18.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "2B1F834B-A628-4894-A531-1A2A60DD58D7", "versionEndExcluding": "18.8.6", "versionStartIncluding": "18.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "44EAE9A6-5ED9-42F6-9BBD-0E2F8072F0D9", "versionEndExcluding": "18.9.2", "versionStartIncluding": "18.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "12A2DEC0-C471-4C98-960C-405209403AB9", "versionEndExcluding": "18.9.2", "versionStartIncluding": "18.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service condition due to improper input validation when processing specially crafted JSON payloads in the protected branches API."}], "id": "CVE-2025-14513", "lastModified": "2026-03-13T12:34:46.100", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "cve@gitlab.com", "type": "Secondary"}]}, "published": "2026-03-11T16:16:19.223", "references": [{"source": "cve@gitlab.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/"}, {"source": "cve@gitlab.com", "tags": ["Broken Link"], "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/583718"}, {"source": "cve@gitlab.com", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/3452477"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1284"}], "source": "cve@gitlab.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[16.11,18.7.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[18.8,18.8.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[18.9,18.9.2)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "GitLab", "source": "cna", "vendor": "GitLab"}, "product": "gitlab", "vendor": "gitlab"}], "analysis": {"en": {"generated_at": "2026-03-17T14:44:10.401407+00:00", "value": {"mitigation_remediation": ["Upgrade to GitLab version 18.7.6, 18.8.6, 18.9.2 or later."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Affected systems are GitLab Community Edition and Enterprise Edition instances running any version from 16.11 up to, but not including, 18.7.6; 18.8 versions prior to 18.8.6; and 18.9 versions prior to 18.9.2. All GitLab official products, including community and enterprise editions, are impacted, as indicated by the provided CPE strings.", "description_and_impact": "The vulnerability is an improper input validation flaw in GitLab's protected branches API that allows an unauthenticated user to send specially crafted JSON payloads. If exploited, the attacker can cause a denial of service condition, preventing legitimate users from accessing the API or potentially exhausting system resources. This weakness aligns with CWE-1284, where validation errors lead to service disruption.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity. The EPSS score of less than 1% suggests that the exploit probability is currently low. The vulnerability is not listed in CISA's KEV catalog. Because the attack requires unauthenticated access and only leads to service interruption, the risk is primarily availability degradation rather than confidentiality or integrity compromise. Exploitation would involve sending a crafted JSON request to the protected branches API endpoint to trigger the denial of service."}}}}, "created": "2026-03-12T09:58:09.728638+00:00", "updated": "2026-03-20T15:30:45.597628+00:00", "vendors": ["gitlab", "gitlab$PRODUCT$gitlab"]}