CVE-2025-13690 in Community Edition
Summary
by MITRE • 03/11/2026
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to cause a denial of service condition due to improper input validation on webhook custom header names under certain conditions.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/14/2026
This vulnerability affects GitLab Community Edition and Enterprise Edition installations across multiple version ranges including 16.11 through 18.7.5, 18.8 through 18.8.5, and 18.9 through 18.9.1. The issue stems from inadequate input validation mechanisms within the webhook functionality that processes custom header names. When an authenticated user submits webhook configurations containing specially crafted header names, the system fails to properly sanitize these inputs leading to potential resource exhaustion. This represents a classic denial of service vulnerability that operates under the weakness category of CWE-20, which encompasses improper input validation. The flaw allows attackers to consume excessive system resources through malformed header name inputs, potentially disrupting legitimate service operations and affecting other users within the same GitLab instance.
The technical implementation of this vulnerability occurs within GitLab's webhook processing pipeline where custom header names are not adequately validated against expected formats or length constraints. When a user creates or modifies a webhook configuration, the system should validate that header names conform to standard HTTP header naming conventions and do not contain malicious patterns that could trigger resource allocation issues. However, the validation process fails to properly handle certain edge cases in header name formatting, particularly when special characters or extended Unicode sequences are present. This weakness enables an attacker to construct header names that cause the system to allocate excessive memory or processing cycles during validation, ultimately leading to service unavailability. The vulnerability operates through the ATT&CK technique T1499.004 which involves network denial of service attacks targeting infrastructure and services.
The operational impact of this vulnerability extends beyond simple service disruption as it affects the core functionality of GitLab's integration capabilities. Organizations relying on webhooks for CI/CD pipelines, notifications, or external system integrations face potential operational downtime when attackers exploit this weakness. The authenticated nature of the attack means that only users with valid credentials can leverage this vulnerability, but this still represents a significant risk as it allows for privilege escalation attacks within the system. The vulnerability affects all users who can create or modify webhook configurations, which typically includes project members with appropriate permissions. This creates a potential attack vector where malicious insiders or compromised accounts could exploit the flaw to cause service degradation or complete outages for the GitLab instance. The remediation requires updating to the patched versions where proper input validation has been implemented to prevent the exploitation of malformed header names during webhook configuration processing.