CVE-2020-13354
Description
A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 12.6. The container registry name check could cause exponential number of backtracks for certain user supplied values resulting in high CPU usage. Affected versions are: >=12.6, <13.3.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A ReDoS vulnerability in GitLab CE/EE container registry name regex causes high CPU usage and potential denial of service for versions >=12.6, <13.3.9.
Vulnerability
A regular expression denial of service (ReDoS) vulnerability exists in GitLab CE/EE starting from version 12.6 up to, but not including, 13.3.9. The issue is in the container_repository_name_regex function within /lib/gitlab/regex.rb [1]. The regex pattern can cause exponential backtracking when processing certain user-supplied container repository names, leading to high CPU consumption [1].
Exploitation
An attacker does not need any authentication or special privileges to trigger this vulnerability. By sending a specially crafted container repository name (e.g., a long string with many repeating characters followed by a non-matching suffix) to the GitLab container registry, the regex engine enters a catastrophic backtracking state [1]. This can be done via docker push or docker build commands with a malicious repository name, up to 255 characters in length [1].
Impact
Successful exploitation results in excessive CPU usage on the GitLab server, potentially causing a denial of service (DoS) as the high CPU consumption can degrade performance or make the service unresponsive for other users [1]. No data integrity or confidentiality is compromised; the impact is limited to availability.
Mitigation
The vulnerability is fixed in GitLab CE/EE version 13.3.9 and later. Users running versions >=12.6 and <13.3.9 should upgrade to the latest patched release [1]. No workarounds are documented in the available references. This CVE is not listed on the known exploited vulnerabilities (KEV) catalog as per the provided information.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3>=12.6, <13.3.9+ 1 more
- (no CPE)range: >=12.6, <13.3.9
- (no CPE)range: >=12.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Catastrophic backtracking in the container repository name regex allows exponential CPU consumption for crafted inputs."
Attack vector
An attacker can trigger a ReDoS (Regular Expression Denial of Service) by pushing a Docker container image with a specially crafted repository name. The name must be up to 255 characters and include a pattern (e.g., many 'b' characters followed by dashes and an 'x') that causes the regex engine to backtrack exponentially. This results in high CPU consumption on the GitLab server, potentially denying service to other users [ref_id=1].
Affected code
The vulnerable code is in `lib/gitlab/regex.rb` at line 33, where the `container_repository_name_regex` is defined. This regex contains a pattern that causes catastrophic backtracking when processing certain user-supplied container repository names.
What the fix does
The advisory does not include a patch diff, but the fix would involve rewriting the `container_repository_name_regex` in `lib/gitlab/regex.rb` to eliminate the catastrophic backtracking. This is typically done by removing nested quantifiers or using atomic groups / possessive quantifiers to prevent the regex engine from trying exponential permutations. The remediation guidance from GitLab is to upgrade to version 13.3.9 or later, where the regex was corrected [ref_id=1].
Preconditions
- authAttacker must be able to push a Docker container image to a GitLab project's container registry
- configGitLab instance must be running version >=12.6 and <13.3.9
- configContainer registry feature must be enabled on the GitLab instance
Reproduction
1. Build a Docker image with a tag containing a long repository name that triggers backtracking, e.g.: `docker build --tag registry.gl.vm/user1/project/a_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb-----------x .` (repository name up to 255 characters total). 2. Push the image: `docker push registry.gl.vm/user1/project/a_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb-----------x`. 3. Observe high CPU usage on the GitLab server as the regex engine backtracks catastrophically [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13354.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/220019mitrex_refsource_MISC
- hackerone.com/reports/869875mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.