CVE-2024-2878
Published: 05 February 2025
Summary
CVE-2024-2878 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Gitlab Gitlab. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 10.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly implements denial-of-service protections like rate limiting and traffic analysis to block resource exhaustion from crafted branch name search queries.
Validates search term inputs against expected formats to prevent malicious queries from triggering excessive resource allocation in GitLab.
Restricts the quantity and types of information input for branch searches, mitigating CWE-770 resource exhaustion without limits or throttling.
NVD Description
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.7 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible for an attacker to cause a denial…
more
of service by crafting unusual search terms for branch names.
Deeper analysisAI
CVE-2024-2878 is a denial-of-service vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE), affecting all versions starting from 15.7 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. The issue allows an attacker to trigger excessive resource consumption by crafting unusual search terms for branch names, classified under CWE-770 (Allocation of Resources Without Limits or Throttling). It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its network accessibility and lack of required privileges.
An unauthenticated attacker (PR:N) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). By submitting specially crafted search queries for branch names, the attacker causes GitLab to allocate excessive resources, leading to a denial of service (A:H) that disrupts service availability without impacting confidentiality or integrity.
GitLab addressed the vulnerability in patch releases, including version 16.11.2, as detailed in the release notes. Administrators should upgrade to GitLab 16.9.7 or later, 16.10.5 or later, or 16.11.2 or later to mitigate the issue. Further details are available in the GitLab issue tracker (https://gitlab.com/gitlab-org/gitlab/-/issues/451918) and the associated HackerOne report (https://hackerone.com/reports/2416356).
Details
- CWE(s)