CVE-2022-2931
Description
A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. Malformed content added to the issue description could have been used to trigger high CPU usage.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A denial-of-service vulnerability in GitLab CE/EE allows unauthenticated or authenticated users to cause high CPU usage via malformed issue descriptions.
Vulnerability
A denial-of-service (DoS) vulnerability exists in GitLab Community Edition (CE) and Enterprise Edition (EE) affecting all versions before 15.1.6, all versions from 15.2 before 15.2.4, and all versions from 15.3 before 15.3.2. The bug is triggered when malformed content is added to an issue description, specifically a long string of repeated ![l characters (or similar patterns) that causes excessive CPU consumption during markdown preview rendering [1]. The issue is reachable via the authenticated issue preview or the unauthenticated /api/v4/markdown endpoint [1].
Exploitation
An attacker can exploit this vulnerability by either (a) creating an issue with a crafted description and then previewing it (requires an authenticated user with issue creation privileges) or (b) sending a direct request to the unauthenticated markdown preview API with the malicious payload [1]. The payload consists of a large number of repetitions of the pattern ![l (e.g., python -c "print('![l' * int(1048576 / 3 - 1) + '\n')"), which is near the maximum description size. Upon preview, the server consumes high CPU for up to 60 seconds (the request timeout). Multiple parallel requests can exhaust multiple CPU cores, leading to service unavailability [1].
Impact
Successful exploitation causes high CPU usage on the GitLab server, potentially making the instance unresponsive to legitimate requests. An attacker can repeatedly send requests to sustain the denial-of-service condition. The vulnerability does not require authentication for the markdown API endpoint, widening the attack surface. No data confidentiality or integrity is compromised, but availability is severely impacted [1].
Mitigation
GitLab has addressed this vulnerability in versions 15.1.6, 15.2.4, and 15.3.2 [1]. Users should upgrade to one of these fixed versions or later. No workaround is documented; upgrading is the recommended mitigation. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <15.1.6 || >=15.2 <15.2.4 || >=15.3 <15.3.2
- Range: <15.1.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `cache_collection_render` function in the Banzai Markdown renderer enters a high-CPU loop when processing a malformed issue description containing a large number of repeated image markdown fragments."
Attack vector
An attacker can trigger high CPU usage by creating an issue (or using the unauthenticated Markdown Preview API at `/api/v4/markdown`) with a malformed description containing a large number of repeated image markdown syntax fragments, e.g., `![l` repeated approximately 349,525 times (just under the 1 MB description limit) [ref_id=1]. The server burns CPU for up to 60 seconds per request, and multiple parallel requests can consume multiple CPU cores, potentially making the entire instance unavailable [ref_id=1]. No special privileges are needed on GitLab.com (self-registration is open) [ref_id=1].
Affected code
The vulnerability lies in the Markdown rendering pipeline. The `analyze` method in the Banzai filter initializes `texts_and_contexts`, which is then passed to `Renderer.cache_collection_render` in `banzai/reference_extractor.rb` [ref_id=1]. The CPU burn occurs during the execution of `cache_collection_render` when processing a specially crafted issue description [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the fix addresses the implementation of `cache_collection_render` in the Banzai renderer to prevent excessive CPU consumption when processing malformed markdown [ref_id=1]. The remediation ensures that the Markdown rendering pipeline handles edge cases in issue descriptions without entering a high-CPU loop, and the fix was applied in versions 15.1.6, 15.2.4, and 15.3.2 [ref_id=1].
Preconditions
- authOn GitLab.com, anyone can self-register; on self-managed instances, depends on instance configuration
- inputAttacker must be able to create an issue or access the Markdown Preview API endpoint
- inputThe crafted description must be near the maximum description size (approximately 1 MB)
Reproduction
1. As an authenticated user (or unauthenticated via the Markdown Preview API), create an issue with the following description generated by: `python -c "print('![l' * int(1048576 / 3 - 1) + '\n')"` [ref_id=1]. 2. Hit the preview button (or send the payload to `/api/v4/markdown`). 3. Observe that the request hangs for ~60 seconds (the server-side timeout) while consuming a full CPU core [ref_id=1]. 4. Send multiple such requests in parallel to consume additional CPU cores and degrade server availability [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.