Cyber Resilience

CVE-2024-2878

HighDDoS

Published: 05 February 2025

Published
05 February 2025
Modified
06 August 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0462 89.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-2878 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Gitlab Gitlab. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 10.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-2878 is a denial-of-service vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE), affecting all versions starting from 15.7 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. The issue allows an attacker to trigger excessive resource consumption by crafting unusual search terms for branch names, classified under CWE-770 (Allocation of Resources Without Limits or Throttling). It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its network accessibility and lack of required privileges.

An unauthenticated attacker (PR:N) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). By submitting specially crafted search queries for branch names, the attacker causes GitLab to allocate excessive resources, leading to a denial of service (A:H) that disrupts service availability without impacting confidentiality or integrity.

GitLab addressed the vulnerability in patch releases, including version 16.11.2, as detailed in the release notes. Administrators should upgrade to GitLab 16.9.7 or later, 16.10.5 or later, or 16.11.2 or later to mitigate the issue. Further details are available in the GitLab issue tracker (https://gitlab.com/gitlab-org/gitlab/-/issues/451918) and the associated HackerOne report (https://hackerone.com/reports/2416356).

EU & UK References

Vulnerability details

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.7 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible for an attacker to cause a denial…

more

of service by crafting unusual search terms for branch names.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables application-level resource exhaustion DoS via crafted queries on a public-facing service, directly matching T1499.004 Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1725Same product: Gitlab Gitlab
CVE-2025-1257Same product: Gitlab Gitlab
CVE-2025-13929Same product: Gitlab Gitlab
CVE-2026-1102Same product: Gitlab Gitlab
CVE-2023-6386Same product: Gitlab Gitlab
CVE-2025-13927Same product: Gitlab Gitlab
CVE-2026-1456Same product: Gitlab Gitlab
CVE-2025-12664Same product: Gitlab Gitlab
CVE-2026-0958Same product: Gitlab Gitlab
CVE-2026-3988Same product: Gitlab Gitlab

Affected Assets

gitlab
gitlab
15.7.0 — 16.9.7 · 15.7.0 — 16.9.7 · 16.10.0 — 16.10.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventdetect

Directly implements denial-of-service protections like rate limiting and traffic analysis to block resource exhaustion from crafted branch name search queries.

prevent

Validates search term inputs against expected formats to prevent malicious queries from triggering excessive resource allocation in GitLab.

prevent

Restricts the quantity and types of information input for branch searches, mitigating CWE-770 resource exhaustion without limits or throttling.

References