CVE-2025-8396: Temporal OSS Server Vulnerable to Allocation of Resources Without Limits or Throttling

September 15, 2025 (updated November 10, 2025)

Insufficiently specific bounds checking on authorization header could lead to denial of service in the Temporal server on all platforms due to excessive memory allocation. This issue affects all platforms and versions of OSS Server prior to 1.26.3, 1.27.3, and 1.28.1 (i.e., fixed in 1.26.3, 1.27.3, and 1.28.1 and later). Temporal Cloud services are not impacted.

References

github.com/advisories/GHSA-p768-c3pr-6459
github.com/temporalio/temporal
github.com/temporalio/temporal/releases/tag/v1.26.3
github.com/temporalio/temporal/releases/tag/v1.27.3
github.com/temporalio/temporal/releases/tag/v1.28.1
nvd.nist.gov/vuln/detail/CVE-2025-8396

Code Behaviors & Features

Detect and mitigate CVE-2025-8396 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →