CVE-2023-2132
Description
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A DollarMathPostFilter Regular Expression Denial of Service in was possible by sending crafted payloads to the preview_markdown endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A ReDoS vulnerability in GitLab's DollarMathPostFilter allows unauthenticated attackers to cause denial of service via crafted markdown preview requests.
Vulnerability
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the DollarMathPostFilter component of GitLab CE/EE. The flaw affects all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, and all versions starting from 16.0 before 16.0.2. An attacker can trigger the ReDoS by sending a specially crafted payload to the preview_markdown endpoint, which processes markdown content server-side [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability without any prior authentication or special privileges. The attacker needs only network access to a GitLab instance and a valid CSRF token (obtainable from any public group page). The attack involves sending a crafted JSON payload containing a malicious markdown string to the preview_markdown endpoint, causing the DollarMathPostFilter regex to enter a catastrophic backtracking state [1].
Impact
Successful exploitation results in a denial of service (DoS) condition. The ReDoS consumes excessive CPU resources on the server, potentially rendering the GitLab instance unresponsive or causing it to crash. This can disrupt all users and services relying on the affected instance [1].
Mitigation
GitLab has addressed this vulnerability in versions 15.10.8, 15.11.7, and 16.0.2. Users should upgrade to one of these fixed versions immediately. No workarounds are available for unpatched instances [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=15.4, <15.10.8 || >=15.11, <15.11.7 || >=16.0, <16.0.2
- Range: >=15.4.0, <15.10.8
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `DOLLAR_DISPLAY_INLINE_PATTERN` regex in `DollarMathPostFilter` uses a pattern that causes catastrophic backtracking when matching crafted inputs."
Attack vector
An unauthenticated attacker sends crafted payloads to the `preview_markdown` endpoint, which triggers the `DollarMathPostFilter` regex engine [ref_id=1]. The payload `"$$" + " " * 1_000_000 + "$"` causes catastrophic backtracking in the `DOLLAR_DISPLAY_INLINE_PATTERN` regex, exhausting CPU resources [ref_id=1]. The attacker can obtain a CSRF token and session cookie by browsing a public group as an unauthenticated user, then use those credentials to send repeated requests (e.g., one per second) to the endpoint [ref_id=1]. Each request consumes one CPU core for up to 60 seconds, quickly saturating all cores and making the instance unresponsive [ref_id=1].
Affected code
The vulnerable code is in `lib/banzai/filter/dollar_math_post_filter.rb`, specifically the `DOLLAR_DISPLAY_INLINE_PATTERN` regex defined at lines 24–27 and its use in the `process_dollar_pipeline` method at line 50 [ref_id=1]. The regex `(?
What the fix does
The advisory does not include a published patch, but states that the fix should either rewrite `DOLLAR_DISPLAY_INLINE_PATTERN` to avoid catastrophic backtracking or implement equivalent logic without regular expressions [ref_id=1]. The affected versions are GitLab CE/EE 15.4 through 15.10.8, 15.11 through 15.11.7, and 16.0 through 16.0.2, and users should upgrade to a patched release [ref_id=1].
Preconditions
- networkThe attacker must have network access to a GitLab instance running an affected version (15.4–15.10.8, 15.11–15.11.7, or 16.0–16.0.2).
- inputThe attacker must obtain a valid CSRF token and session cookie, which can be done by browsing any public group as an unauthenticated user.
- authNo authentication is required; the attack works against unauthenticated users accessing a public group.
Reproduction
1. Set up a GitLab instance (affected version) and create a public group. 2. As an unauthenticated user, browse to the public group and extract the CSRF token from the HTML and the `_gitlab_session` cookie from the request headers. 3. Prepare a JSON payload file containing the crafted ReDoS string (e.g., `"$$" + " " * 1_000_000 + "$"`). 4. Run a loop that sends a POST request to `/groups/[PUBLIC_GROUP_NAME]/preview_markdown` with the payload, CSRF token, and session cookie once per second. 5. Observe that CPU cores become saturated and the instance becomes unresponsive [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
1- GitLab Security Release: 16.0.2, 15.11.7, and 15.10.8GitLab Security Releases · Jun 5, 2023