VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 6, 2023· Updated Jan 7, 2025

Allocation of Resources Without Limits or Throttling in GitLab

CVE-2023-0921

Description

A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An authenticated attacker can cause CPU exhaustion in GitLab by creating large issue or label descriptions via GraphQL, affecting versions 8.3 to 15.10.8, 15.11 to 15.11.7, and 16.0 to 16.0.2.

Vulnerability

A lack of length validation in GitLab CE/EE allows an authenticated attacker to create arbitrarily large descriptions for issues and labels via GraphQL. This affects all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2. The vulnerability was introduced when the fix for a similar issue (CVE-2023-0921) missed the label description field, which remained unbounded [1].

Exploitation

An attacker with a valid GitLab account can use GraphQL to create an issue or label with a very large description (e.g., exceeding 1 MB). For labels, the attacker can then use the "Prioritized Labels" feature to bypass the default 20-labels-per-page limit, causing multiple large descriptions to be rendered simultaneously. By repeatedly requesting the affected pages (e.g., project labels page) with N+1 concurrent requests (where N is the number of worker threads), the attacker can saturate CPU resources, leading to server instability [1].

Impact

Successful exploitation results in CPU exhaustion, out-of-memory errors, and bundle process timeouts. This degrades availability for all users of the GitLab instance, causing 500/502 errors and effectively a denial-of-service condition [1].

Mitigation

GitLab has released fixed versions: 15.10.8, 15.11.7, and 16.0.2. Users should upgrade to these or later versions. No workaround is available; upgrading is the only mitigation [1].

References
  1. Denial of Service using multiple labels with arbitrarily large descriptions (#392433) · Issues · GitLab.org / GitLab · GitLab

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing length validation on label descriptions allows arbitrarily large payloads to be stored and rendered, causing CPU and memory exhaustion."

Attack vector

An authenticated attacker creates multiple labels with arbitrarily large description payloads (e.g., 40MB of '&' characters) via GraphQL API calls [ref_id=1]. The attacker then prioritizes these labels on a project labels page, bypassing the 20-per-page display limit so that all large-description labels render on a single page [ref_id=1]. By repeatedly requesting the project labels page (N+1 times, where N is the number of worker threads), the attacker saturates CPU and memory resources, causing 500/502 errors for other users and potentially crashing bundle processes due to out-of-memory errors [ref_id=1].

Affected code

The vulnerability affects label descriptions in GitLab CE/EE. The issue is that labels were not subject to the 1MB description size limit that was previously applied to other features (like issue descriptions) after earlier fixes [ref_id=1]. Both group and project labels pages display multiple labels along with their descriptions, and the "Prioritized Labels" feature can bypass the normal 20-labels-per-page pagination limit [ref_id=1].

What the fix does

The advisory does not include a published patch diff, but the fix is described as applying a length validation limit to label descriptions, similar to the 1MB limit already enforced on other description fields after earlier fixes [ref_id=1]. The remediation guidance is to restrict the size of label descriptions so that arbitrarily large payloads cannot be stored or rendered, preventing the CPU and memory exhaustion that occurs when the labels page processes oversized descriptions [ref_id=1].

Preconditions

  • authAttacker must have an authenticated GitLab account with ability to create labels in a project
  • inputAttacker must be able to create labels via GraphQL API (or web session with CSRF token)
  • inputAttacker must be able to prioritize labels (via set_priorities endpoint) to bypass the 20-per-page pagination limit
  • configTarget GitLab instance must be running a version between 8.3 and 15.10.8, 15.11 before 15.11.7, or 16.0 before 16.0.2

Reproduction

1. Create a new blank project (e.g., `attacker/labeldos`) with Public visibility. 2. Generate a personal access token or obtain `_gitlab_session` cookie and CSRF token. 3. Run `store_label_graphql.py` with arguments such as `--hostname http://gitlab.example.com --payload '&' --num-attempts 60 --post-size-mb 40 --delay 3 --tagPrefix MyLabel --projectPath attacker/labeldos --threadpool 3` to create ~60 labels with large descriptions. 4. Prioritize the labels by calling `/attacker/labeldos/-/labels/set_priorities` with the list of label IDs (manually via browser or BurpSuite). 5. Run `retrieve_label.py` with arguments such as `--hostname http://gitlab.example.com --num-attempts 15 --delay 4 --projectPath attacker/labeldos --threadpool 4` to repeatedly request the labels page, exhausting server resources [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

1