GraphQL complexity error when viewing Vulnerability Report in WebUI
Summary
Users are experiencing GraphQL complexity errors when attempting to view the Vulnerability Report through the GitLab WebUI. The error message "GraphQL error: Query has complexity of 271, which exceeds max complexity of 250" prevents the vulnerability list from loading.
Steps to reproduce
- Navigate to a project's Vulnerability Report:
/-/security/vulnerability_report/ - Apply basic filters such as
?severity=CRITICAL,HIGH&state=DETECTED - Observe the GraphQL complexity error
- Alternatively, view the report with default settings and change from "Show 20 items" to "Show 100 items"
Current behavior
- The Vulnerability Report page displays a GraphQL complexity error
- The list of vulnerabilities remains empty and does not load
- Error: "GraphQL error: Query has complexity of 271, which exceeds max complexity of 250"
Expected behavior
The Vulnerability Report should load successfully and display the list of vulnerabilities without exceeding GraphQL complexity limits.
Workaround
Logging out and logging back in temporarily resolves the issue. However, the error may return when changing pagination settings (e.g., switching from "Show 20 items" to "Show 100 items").
Impact
- Platform: GitLab.com (SaaS)
- Subscription Level: GitLab Ultimate customers affected
- Frequency: 366 occurrences logged in 24 hours (as of 2025-11-11)
- Kibana logs: https://log.gprd.gitlab.net/app/r/s/Zk8pM
Related issues
This issue appears to be separate from #576497 (closed), which specifically affects blob queries with complexity jumping from 35 (1 path) to 346+ (2+ paths). The complexity score of 271 in this issue suggests a different root cause related to the vulnerability report query itself.
Customer reports
- Ticket 669837 (Internal)
- Ticket 670468 (Internal)
- Ticket 670835 (Internal)
- Ticket 671027 (Internal)
Environment
- Platform: GitLab.com
- Affected feature: Security & Compliance > Vulnerability Report