Unrated severityNVD Advisory· Published Dec 13, 2021· Updated Aug 4, 2024

CVE-2021-39932

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Using large payloads, the diff feature could be used to trigger high load time for users reviewing code changes.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GitLab CE/EE diff feature can be abused with large payloads to cause high load time for code reviewers.

Vulnerability

An issue in GitLab CE/EE affects all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, and all versions starting from 14.5 before 14.5.2. The diff feature does not properly limit payload sizes, allowing an attacker to craft large payloads that trigger high load times when users review code changes [1].

Exploitation

An attacker needs to have access to create merge request drafts or comments with diff positions. By submitting a crafted diff note with an oversized or complex payload in the position field, the attacker can cause excessive server-side processing when the diff is rendered for review. No special network position or authentication beyond the ability to create merge request notes is required [1].

Impact

Successful exploitation leads to a denial of service condition where users reviewing code changes experience significant load times, degrading the user experience and potentially impacting availability of the review interface [1].

Mitigation

GitLab released fixed versions 14.3.6, 14.4.4, and 14.5.2 on December 13, 2021. Users should upgrade to these or later versions. No workaround is documented in the available references [1].

References

Possible way of storing arbitrary data in draft diff notes (#217360) · Issues · GitLab.org / GitLab · GitLab

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

GitLab Inc./CE/EEllm-fuzzy
Range: >=11.0, <14.3.6 || >=14.4, <14.4.4 || >=14.5, <14.5.2
osv-coords
pkg:bitnami/gitlab
Range: >= 12.10.0, < 14.3.6
GitLab Inc./GitLabv5
Range: >=12.10, <14.3.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39932.jsonmitrex_refsource_CONFIRM
gitlab.com/gitlab-org/gitlab/-/issues/217360mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000