Allocation of Resources Without Limits or Throttling in GitLab

Vulnerability

An issue in GitLab EE with Advanced Search allows a denial of service by chaining too many syntax operators in search queries. Affected versions are all from 13.9 to 16.3.6, 16.4 prior to 16.4.2, and 16.5 prior to 16.5.1 [1]. The vulnerability is triggered when a user submits a search query containing an excessive number of OR operators, causing high CPU usage on Elasticsearch nodes and eventually halting search functionality [1].

Exploitation

An attacker with network access to a GitLab instance and the ability to perform advanced searches (typically any authenticated user) can exploit this by crafting a search query with many OR operators. No special privileges or user interaction beyond submitting the query is required [1]. The attacker can repeatedly send such queries to sustain the denial of service.

Impact

Successful exploitation results in a denial of service affecting the Advanced Search function. The search nodes become unresponsive, preventing all users from performing searches until the system recovers or is manually restarted [1]. The impact is limited to availability; no data confidentiality or integrity is compromised.

Mitigation

GitLab has addressed this issue in versions 16.4.2 and 16.5.1 [1]. Users should upgrade to these or later versions. For instances that cannot be immediately upgraded, administrators can monitor search node CPU usage and consider rate-limiting or blocking queries with excessive operators as a temporary workaround, though no official workaround is provided [1].