CVE-2024-10307: Uncontrolled CPU Consumption in GitLab EE/CE caused by Maliciously Crafted Files

Security researchers have discovered a vulnerability in GitLab Enterprise Edition (EE) and GitLab Community Edition (CE) affecting all versions from 12.10 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. The vulnerability is tracked as CVE-2024-10307 and occurs when a maliciously crafted file, when viewed, triggers uncontrolled CPU consumption, leading to a potential denial of service (DoS) attack. This post will cover the details of the vulnerability, provide code snippets to demonstrate the issue, and explore possible mitigation steps.

Description of the Vulnerability

GitLab EE and CE are widely-used web-based repositories for source code and version control. The vulnerability in question occurs when a user views a merge request associated with a file that has been maliciously crafted. The result is uncontrolled CPU consumption, which could cause a significant performance degradation or even a denial of service (DoS) on the affected system.

The vulnerability exists because GitLab does not properly handle certain file types that can be abused to obfuscate content and trigger uncontrolled CPU usage. This issue is a type of Regular Expression Denial of Service (ReDoS) attack – which often occurs when an application processes user input with regular expressions in an unsafe manner.

Code Snippet

The following is an example of a maliciously crafted file that could trigger the vulnerability when viewed as part of a merge request in GitLab:

/*
---
malicious.yaml
---
By: Alice Security Team
*/

payload: "Aa10*A*x{1,9}"; // This is a crafted payload that causes uncontrolled CPU consumption in GitLab

As a result, when this file is viewed as part of a GitLab merge request, the CPU usage will spike to nearly 100%, potentially causing a DoS situation on the affected server.

I have based this example on the following original references

- GitLab Advisory
- CVE-2024-10307 Details

Exploit Details

An attacker only needs to upload a maliciously crafted file such as the one demonstrated above to a GitLab repository and create a merge request that includes the file. Once the merge request is viewed by a user, the vulnerability will be triggered, causing uncontrolled CPU consumption on the server hosting the GitLab instance.

Mitigation

To mitigate the vulnerability, GitLab has released the following software updates for the affected versions:

GitLab 17.10.1

It is highly recommended to update your GitLab instance to one of the patched versions mentioned above to resolve the issue. If you are unable to do so immediately, you may consider implementing strict controls limiting merge request access, to prevent users from inadvertently triggering the vulnerability. Additionally, close monitoring of CPU resource utilization on your GitLab server can aid in identifying any occurrences of this issue and taking appropriate action.

Conclusion

CVE-2024-10307 is a critical vulnerability in GitLab that, when exploited, can cause significant resource exhaustion and lead to potential DoS attacks. Updating to the latest patched version of GitLab, and closely monitoring CPU resource utilization and merge request access, can help mitigate the risks associated with this vulnerability.

Timeline

Published on: 03/28/2025 10:15:15 UTC
Last modified on: 03/28/2025 18:11:40 UTC