Inefficient Regular Expression Complexity in GitLab

Vulnerability

A Regular Expression Denial of Service (ReDoS) vulnerability exists in GitLab CE/EE versions 12.7 through 16.6.6, 16.7 through 16.7.4, and 16.8 through 16.8.1. The flaw resides in the Cargo.toml dependency linker (lib/gitlab/dependency_linker/cargo_toml_linker.rb), where user-supplied dependency names are interpolated directly into a regular expression without proper sanitization. This allows an attacker to craft a Cargo.toml file with a specially constructed dependency name that causes catastrophic backtracking when the blob viewer renders the file [1][2].

Exploitation

An attacker with the ability to create or modify a Cargo.toml file in a GitLab repository (e.g., by committing a new file or updating an existing one) can trigger the ReDoS. The attacker inserts a dependency name such as ".*((a|b)+|c)+" with a long string of repeating characters. When the blob viewer page attempts to render the file, the regex engine enters a state of exponential backtracking, consuming excessive CPU time and potentially causing the server to become unresponsive or timeout [2]. No special privileges beyond standard repository write access are required.

Impact

Successful exploitation leads to a denial of service condition. The GitLab instance may experience high CPU usage, slow response times, or complete unavailability for the duration of the attack. The impact is limited to availability; no data confidentiality or integrity is compromised. The attacker does not gain elevated privileges or access to sensitive data.

Mitigation

GitLab has released patched versions: 16.8.1, 16.7.4, 16.6.6, and 16.5.8 on January 25, 2024 [1]. All users running affected versions should upgrade immediately. GitLab.com and GitLab Dedicated environments are already patched. No workarounds are documented; upgrading is the recommended action. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.