Inefficient Regular Expression Complexity in GitLab
Description
An issue has been discovered in GitLab EE affecting all versions starting from 11.3 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. It was possible for an attacker to cause a client-side denial of service using malicious crafted content in the CODEOWNERS file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A ReDoS vulnerability in GitLab EE's CODEOWNERS file parser allows an attacker to cause client-side denial of service via a crafted file.
Vulnerability
A ReDoS (Regular Expression Denial of Service) vulnerability exists in the CODEOWNERS reference extractor in GitLab EE. The regex EMAIL_REGEXP = /(?([^@\s]+@[^@\s]+(?<!\W)))/ is susceptible to catastrophic backtracking when processing long strings ending with an @ character. Affected versions: all starting from 11.3 before 16.7.6, all starting from 16.8 before 16.8.3, all starting from 16.9 before 16.9.1 [1].
Exploitation
An attacker must be authenticated and have the ability to create or modify a CODEOWNERS file in a project. The attacker crafts a CODEOWNERS file containing a line with a long string of zeros followed by an @ (e.g., README.md @). When the validateCodeownerFile GraphQL query is triggered (e.g., by viewing the project's repository page), the regex engine enters catastrophic backtracking, consuming excessive CPU. By sending multiple concurrent requests (e.g., 20 in a loop), the attacker can cause the server's CPUs to run at 100%, leading to denial of service for other users [1].
Impact
Successful exploitation results in a client-side denial of service (though the impact is server-side CPU exhaustion). The attacker can degrade or block access to the GitLab instance for legitimate users. No data is compromised, but availability is severely impacted [1].
Mitigation
GitLab has released fixed versions: 16.7.6, 16.8.3, and 16.9.1. Users should upgrade to these versions or later. No workaround is mentioned; the fix likely involves improving the regex to avoid catastrophic backtracking. The vulnerability is not listed in CISA KEV as of the publication date [1].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=11.3 final <16.7.6, >=16.8 final <16.8.3, >=16.9 final <16.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A regular expression used to extract email references from CODEOWNERS files contains a vulnerable pattern that causes catastrophic backtracking (ReDoS) on crafted input."
Attack vector
An attacker with the ability to create or modify a CODEOWNERS file in a GitLab project inserts a line containing a long string of zeros followed by an `@` character (e.g., `README.md 000...000@`). When the server processes this file via the `validateCodeownerFile` GraphQL query, the vulnerable regex `EMAIL_REGEXP` triggers catastrophic backtracking, consuming 100% CPU on all cores and causing a denial of service [ref_id=1]. The attacker can sustain the DoS with as few as 10 requests per minute, making the instance inaccessible to legitimate users [ref_id=1].
Affected code
The vulnerable code is in `ee/lib/gitlab/code_owners/reference_extractor.rb` at line 11, where the constant `EMAIL_REGEXP` is defined as `/(?<email>([^@\s]+@[^@\s]+(?<!\W)))/` [ref_id=1]. This regex is used to extract email references from CODEOWNERS file content.
What the fix does
The advisory does not include a published patch diff, but the recommended fix is to rewrite the `EMAIL_REGEXP` regex in `ee/lib/gitlab/code_owners/reference_extractor.rb` to avoid the catastrophic backtracking pattern [ref_id=1]. The vulnerable regex `/(?<email>([^@\s]+@[^@\s]+(?<!\W)))/` causes exponential backtracking on strings ending with `@`; a corrected regex would use atomic groups or possessive quantifiers to eliminate the backtracking. No patch is publicly available in the provided bundle.
Preconditions
- authAttacker must have an account on a self-hosted GitLab Premium instance with permission to create or modify a CODEOWNERS file in a project
- configThe GitLab instance must be a Premium or higher tier (EE) running a vulnerable version (11.3 through 16.7.6, 16.8.0-16.8.3, or 16.9.0-16.9.1)
- networkAttacker must be able to send HTTP requests to the GitLab instance (network access)
- inputThe malicious CODEOWNERS file content must contain a long string of non-whitespace characters ending with '@' to trigger the ReDoS
Reproduction
1. Log in to a self-hosted GitLab Premium instance and create a new project. 2. Create a file named `CODEOWNERS` with content `README.md <100000 zeros>@`. 3. Save the file and refresh the page. 4. In browser devtools, locate the pending GraphQL `validateCodeownerFile` request, copy it as cURL. 5. Run the curl command in a loop (e.g., 20 concurrent requests). 6. Observe on the server via `top`/`htop` that all CPUs reach 100% and the site becomes unresponsive [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- hackerone.com/reports/2269023mitretechnical-descriptionexploitpermissions-required
- gitlab.com/gitlab-org/gitlab/-/issues/435036mitreissue-trackingpermissions-required
News mentions
1- GitLab Security Release: 16.9.1, 16.8.3, 16.7.6GitLab Security Releases · Feb 21, 2024