CVE-2024-9631
Published: 05 February 2025
Summary
CVE-2024-9631 is a high-severity Inefficient Algorithmic Complexity (CWE-407) vulnerability in Gitlab Gitlab. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2024-9631 is a denial-of-service vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE), affecting all versions starting from 13.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2. The issue arises when viewing diffs of merge requests (MRs) with conflicts, which can cause significant performance degradation due to inefficient resource handling. It is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-407 (Algorithmic Complexity) and CWE-770 (Allocation of Resources Without Limits or Throttling).
An unauthenticated attacker with network access can exploit this vulnerability by accessing or inducing the viewing of diffs for merge requests containing conflicts. This triggers excessive resource consumption on the GitLab server, potentially leading to high availability impact such as slowdowns or service unavailability. No privileges, user interaction, or scope changes are required, making it accessible to remote attackers targeting publicly exposed GitLab instances.
GitLab advisories, detailed in issue tracker entry https://gitlab.com/gitlab-org/gitlab/-/issues/480867 and HackerOne report https://hackerone.com/reports/2650086, recommend upgrading to patched versions: 17.2.9 or later for the 17.2 branch, 17.3.5 or later for the 17.3 branch, and 17.4.2 or later for the 17.4 branch. No additional workarounds are specified in the provided references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-50440
Vulnerability details
An issue was discovered in GitLab CE/EE affecting all versions starting from 13.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, where viewing diffs of MR with conflicts can be slow.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of a public-facing GitLab instance (T1190) via algorithmic complexity in MR diff handling, directly causing application/service DoS through resource exhaustion (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly protects against denial-of-service attacks by limiting effects of excessive resource consumption triggered by viewing merge request diffs with conflicts.
Ensures resource availability by implementing allocation controls to prevent exhaustion from inefficient handling of conflicted merge request diffs.
Provides timely flaw remediation through patching vulnerable GitLab versions affected by this algorithmic complexity DoS vulnerability.