CVE-2021-39942
Description
A denial of service vulnerability in GitLab CE/EE affecting all versions starting from 12.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows low-privileged users to bypass file size limits in the NPM package repository to potentially cause denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A denial of service vulnerability in GitLab CE/EE allows low-privileged users to bypass NPM package file size limits by providing a manipulated length parameter, potentially causing denial of service.
Vulnerability
The vulnerability exists in the Packages::Npm::CreatePackageService service, where the file_size_exceeded? method validates file size using attachment['length'] from the user request instead of the actual file size. This allows a user to bypass the configured maximum NPM package file size by providing a small value in the length parameter while uploading a large file. Affected versions are GitLab CE/EE starting from 12.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, and all versions starting from 14.5 before 14.5.2 [1].
Exploitation
An attacker must have a valid GitLab account with at least Guest role. They can create a new project, obtain a deploy token, generate arbitrary large data, and send a PUT request to upload an NPM package with a manipulated length parameter (e.g., 1). The request bypasses the file size limit, allowing the attacker to upload a file of any size [1].
Impact
Successful exploitation allows a low-privileged user to upload arbitrarily large files to the NPM package repository. This can lead to excessive disk space consumption, potentially causing a denial of service (DoS) condition on the GitLab instance [1].
Mitigation
The vulnerability is fixed in GitLab versions 14.3.6, 14.4.4, and 14.5.2. Users should upgrade to these versions or later. No workarounds are available. The issue is not listed as a known exploited vulnerability (KEV) [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=12.0, <14.3.6 || >=14.4, <14.4.4 || >=14.5, <14.5.2
- Range: >=12.0, <14.3.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"File size validation in `Packages::Npm::CreatePackageService` trusts the user-supplied `length` field instead of measuring the actual size of the uploaded data."
Attack vector
A low-privileged user sends a PUT request to the NPM package creation endpoint (`/api/v4/projects/:id/packages/npm/...`) with a JSON body containing a `_attachments` object. Inside that object, the attacker sets the `length` field to a small number (e.g. `1`) while embedding a much larger payload in the `data` field. The service reads `attachment['length']` for the file size check, so the validation passes even though the actual data is many kilobytes or megabytes. This allows the attacker to upload arbitrarily large files, potentially exhausting disk space and causing denial of service [ref_id=1].
Affected code
The vulnerable code is in `app/services/packages/npm/create_package_service.rb`, where the method `file_size_exceeded?` uses `attachment['length'].to_i` — a value supplied directly by the user in the JSON request body — rather than measuring the actual size of the uploaded data [ref_id=1].
What the fix does
The advisory does not include a published patch diff, but the expected remediation is to change the file size validation so that it checks the actual byte length of the data being transferred rather than trusting the user-supplied `length` parameter [ref_id=1]. The fix should measure the real size of the attachment data (e.g. the decoded `data` field) and compare that against the configured `npm_max_file_size` limit.
Preconditions
- authThe attacker must have a valid GitLab account or deploy token with permission to create NPM packages in a project.
- configAn administrator must have set a non-zero `Maximum NPM package file size` limit (e.g. 10 bytes) in Admin Area > Settings > CI/CD > Package file size limits.
- networkThe attacker must be able to send HTTP PUT requests to the GitLab NPM package registry API endpoint.
- inputThe attacker must craft a JSON payload where the `length` field in `_attachments` is smaller than the actual base64-encoded data.
Reproduction
1. As an administrator, set a small NPM file size limit: Admin Area > Settings > CI/CD > Package file size limits > Maximum NPM package file size in bytes = 10. 2. As a regular user, create a project and a deploy token with write access to the package registry. 3. Generate a payload larger than the limit: `dd if=/dev/urandom bs=1024 count=1 2>/dev/null | base64`. 4. Send a PUT request to `/api/v4/projects/
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39942.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/297492mitrex_refsource_MISC
- hackerone.com/reports/1071861mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.