Allocation of Resources Without Limits or Throttling in GitLab
Description
An issue has been discovered in GitLab EE affecting all versions starting from 10.5 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to cause a client-side denial of service using malicious crafted mermaid diagram input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A client-side denial-of-service vulnerability in GitLab EE allows attackers to cause high CPU usage via crafted Mermaid flowchart diagrams in comments.
Vulnerability
A client-side denial-of-service vulnerability exists in GitLab EE versions 10.5 through 16.4.2, 16.5.0 through 16.5.2, and 16.6.0. The issue is triggered when a user views a comment containing a specially crafted Mermaid flowchart diagram using the flowchart TB syntax with excessive ampersand separators and long arrows. This causes the Mermaid rendering engine to consume excessive CPU resources, leading to a browser hang or crash. The vulnerability is present in any section that supports comments, including issues, merge requests, milestones, snippets, wiki pages, markdown documents, and epics [1].
Exploitation
An attacker with the ability to post comments (any authenticated user) can craft a malicious Mermaid diagram as described in the HackerOne report [1]. The attacker creates a comment containing a flowchart TB block with multiple nodes connected by a long arrow using many ampersands and dashes. When any user views the page containing this comment, the browser attempts to render the diagram, causing 100% CPU usage and a denial of service. No special network position or user interaction beyond viewing the page is required.
Impact
Successful exploitation results in a client-side denial of service. The victim's browser becomes unresponsive or crashes, preventing normal use of the GitLab instance. The attack does not lead to data disclosure, modification, or privilege escalation; it solely affects availability for the targeted user.
Mitigation
GitLab has addressed this issue in versions 16.4.3, 16.5.3, and 16.6.1. Users should upgrade to these or later versions. No workaround is available for unpatched versions. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=10.5, <16.4.3 || >=16.5, <16.5.3 || >=16.6, <16.6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Crafted Mermaid flowchart input with deeply nested or long arrow syntax causes excessive CPU consumption in the client-side Mermaid renderer, leading to a denial of service."
Attack vector
An attacker posts a comment containing a specially crafted Mermaid flowchart TB diagram with repeated node references and an extremely long arrow (e.g., `A & A & A & A & A & A & A & A ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------> C & D & E & ... & Z`). When any user views the page (Issues, Merge requests, Milestones, Snippets, Wiki pages, Markdown documents, Epics), the client-side Mermaid renderer consumes 100% CPU and the page loads very slowly or hangs [ref_id=1]. No authentication beyond the ability to create comments is required.
Affected code
The vulnerability affects GitLab EE's Mermaid diagram rendering component, which processes user-supplied flowchart TB syntax in comments and other markdown-capable fields. The advisory does not specify exact file paths or function names [ref_id=1].
What the fix does
The advisory does not include a published patch diff. The fix is expected to sanitize or limit the complexity of Mermaid diagram input on the server side or within the Mermaid renderer to prevent pathological flowchart constructs from consuming excessive client resources. GitLab addressed this in versions 16.4.3, 16.5.3, and 16.6.1 [ref_id=1].
Preconditions
- authAttacker must be able to create comments on any GitLab resource (Issues, Merge requests, Milestones, Snippets, Wiki pages, Markdown documents, Epics)
- inputVictim must view the page containing the crafted Mermaid diagram
Reproduction
1. Create a comment on any GitLab resource (e.g., an Issue) containing the following Mermaid flowchart TB payload:
``` flowchart TB A & A & A & A & A & A & A & A ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------> C & D & E & F & G & H & I & J & K & L & M & N & O & P & Q & R & S & T & U & V & W & X & Y & Z
flowchart TB A & A & A & A & A & A & A & A ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------> C & D & E & F & G & H & I & J & K & L & M & N & O & P & Q & R & S & T & U & V & W & X & Y & Z
flowchart TB A & A & A & A & A & A & A & A ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------> C & D & E & F & G & H & I & J & K & L & M & N & O & P & Q & R & S & T & U & V & W & X & Y & Z ```
2. Reload the page. The page will load very slowly and the browser will use 100% CPU [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- hackerone.com/reports/2137421mitretechnical-descriptionexploitpermissions-required
- gitlab.com/gitlab-org/gitlab/-/issues/424882mitreissue-trackingpermissions-required
News mentions
1- GitLab Security Release: 16.6.1, 16.5.3, 16.4.3GitLab Security Releases · Nov 30, 2023