Unrated severityNVD Advisory· Published Jun 7, 2023· Updated Jan 7, 2025

CVE-2023-2198

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.7 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated ReDoS in GitLab Markdown preview via crafted payloads to preview_markdown endpoint, affecting multiple versions.

Vulnerability

A Regular Expression Denial of Service (ReDoS) vulnerability exists in GitLab CE/EE affecting all versions starting from 8.7 before 15.10.8, all versions starting from 15.11 before 15.11.7, and all versions starting from 16.0 before 16.0.2. The issue lies in the InlineDiffFilter used when rendering Markdown, triggered by sending crafted payloads to the preview_markdown endpoint [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending specially crafted payloads to the preview_markdown endpoint. The endpoint is accessible without authentication, requiring only a valid CSRF token which can be obtained from any public group page on the GitLab instance. The attacker does not need any prior access or special privileges, making the attack easily reproducible from any network position that can reach the GitLab server [1].

Impact

Successful exploitation causes a Denial of Service (DoS) condition on the GitLab instance. The ReDoS consumes excessive server resources, potentially making the service unresponsive to legitimate users. This impacts all users of the affected instance, with no data access or integrity compromise; the primary impact is availability [1].

Mitigation

Fixed versions have been released: GitLab 15.10.8, 15.11.7, and 16.0.2. Users should upgrade to one of these versions or later. The vulnerability was reported via HackerOne (report #1947187) and fixed in GitLab issue #408273 [1]. No workaround is available for unpatched versions. GitLab does not list this CVE on the CISA KEV catalog as of the publication date.

References

ReDoS via InlineDiffFilter in any Markdown fields (#408273) · Issues · GitLab.org / GitLab · GitLab

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

GitLab Inc./CE/EEllm-fuzzy
Range: >=8.7, <15.10.8 || >=15.11, <15.11.7 || >=16.0, <16.0.2
osv-coords
pkg:bitnami/gitlab
Range: >= 8.7.0, < 15.10.8
GitLab Inc./GitLabv5
Range: >=8.7, <15.10.8

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"Catastrophic backtracking in the regex `/(?:\[\-(.*?)\-\]|\{\-(.*?)\-\})/` within `InlineDiffFilter` allows denial of service via crafted markdown input."

Attack vector

An unauthenticated attacker sends crafted payloads to the `preview_markdown` endpoint (e.g., `POST /groups/[public_group_name]/preview_markdown`). The payload contains a specially crafted string such as `"[-{-"` repeated many times (e.g., 250,000 times), which triggers catastrophic backtracking in the vulnerable regex [ref_id=1]. Because the endpoint is accessible without authentication (only a CSRF token and session cookie from a public group page are needed), the attacker can exhaust CPU resources and cause a denial of service [ref_id=1].

Affected code

The vulnerable regular expression is in `lib/banzai/filter/inline_diff_filter.rb` at line 23-24, in the `inline_diff_filter` method. The regex `/(?:\[\-(.*?)\-\]|\{\-(.*?)\-\})/` is applied via `gsub` to user-supplied markdown text [ref_id=1].

What the fix does

The advisory states the fix should rewrite the regex in `inline_diff_filter` so it does not cause severe backtracking, or replace the regex with equivalent code that does not use regular expressions [ref_id=1]. No patch diff is included in the bundle, but the expected correct behavior is to eliminate the catastrophic backtracking in `/(?:\[\-(.*?)\-\]|\{\-(.*?)\-\})/` [ref_id=1].

Preconditions

authAttacker must have access to a public group page to obtain a CSRF token and session cookie
networkAttacker must be able to send HTTP POST requests to the preview_markdown endpoint
inputPayload must contain a crafted string that triggers regex backtracking (e.g., repeated '[-{-' pattern)

Reproduction

1. Set up a GitLab instance and create a public group. 2. As an unauthenticated user, browse to the public group page and capture the `csrf-token` and `_gitlab_session` cookie values. 3. Download the `InlineDiffFilter_ReDoS_payload.json` attachment (containing the crafted payload). 4. Run a loop sending POST requests to `/groups/[public_group_name]/preview_markdown` with the captured token, session cookie, and the payload file. 5. Observe CPU exhaustion on the instance [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

GitLab Security Release: 16.0.2, 15.11.7, and 15.10.8
GitLab Security Releases · Jun 5, 2023

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000