Resource Exhaustion Affecting gitlab-cng-18.3 package, versions <18.3.3-r0


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.54% (41st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-MINIMOSLATEST-GITLABCNG183-13310839
  • published6 Oct 2025
  • disclosed25 Sept 2025

Introduced: 25 Sep 2025

CVE-2025-59830  (opens in a new tab)
CWE-400  (opens in a new tab)
CWE-770  (opens in a new tab)

How to fix?

Upgrade Minimos:latest gitlab-cng-18.3 to version 18.3.3-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream gitlab-cng-18.3 package and not the gitlab-cng-18.3 package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended. Applications or middleware that directly invoke Rack::QueryParser with its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption. This can be abused as a limited denial-of-service vector. This issue has been patched in version 2.2.18.

CVSS Base Scores

version 3.1