CVE-2025-14870 Hackerone CVE debrief

Who should care

GitLab CE/EE administrators, DevOps and platform teams, and security owners running vulnerable 18.5-18.9.6, 18.10-18.10.5, or 18.11-18.11.2 instances, especially if GitLab is internet-facing or operationally critical.

Technical summary

According to the supplied advisory data, the flaw is an input-validation weakness that allows unauthenticated remote denial of service through specially crafted JSON. The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network reachability, no privileges, and high availability impact.

Defensive priority

High. This is unauthenticated, network-reachable, and can disrupt service availability; patching affected GitLab instances should be prioritized.

Recommended defensive actions

• Upgrade GitLab CE/EE to 18.9.7, 18.10.6, or 18.11.3, or a later supported release on the same stable branch.
• Confirm all self-managed GitLab deployments are on unaffected versions, including test and staging environments.
• Temporarily restrict access to GitLab to trusted networks or users if immediate upgrading is not possible.
• Monitor for unusual request failures, 5xx spikes, crashes, or service restarts while patching.
• Review the linked GitLab advisory and release notes to align the upgrade with your standard maintenance process.

Evidence notes

The version ranges, fixed versions, CVSS vector, CWE-770 mapping, and impact summary come from the supplied GitHub Advisory Database entry for GHSA-97r5-5fr5-p642 and its referenced CVE/NVD metadata. The advisory references the HackerOne report, GitLab patch release page, and GitLab work item; no exploit details beyond 'specially crafted JSON payloads' are included here.

Official resources