CVE-2024-9631
Published: 05 February 2025
Summary
CVE-2024-9631 is a high-severity Inefficient Algorithmic Complexity (CWE-407) vulnerability in Gitlab Gitlab. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly protects against denial-of-service attacks by limiting effects of excessive resource consumption triggered by viewing merge request diffs with conflicts.
Ensures resource availability by implementing allocation controls to prevent exhaustion from inefficient handling of conflicted merge request diffs.
Provides timely flaw remediation through patching vulnerable GitLab versions affected by this algorithmic complexity DoS vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of a public-facing GitLab instance (T1190) via algorithmic complexity in MR diff handling, directly causing application/service DoS through resource exhaustion (T1499.004).
NVD Description
An issue was discovered in GitLab CE/EE affecting all versions starting from 13.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, where viewing diffs of MR with conflicts can be slow.
Deeper analysisAI
CVE-2024-9631 is a denial-of-service vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE), affecting all versions starting from 13.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2. The issue arises when viewing diffs of merge requests (MRs) with conflicts, which can cause significant performance degradation due to inefficient resource handling. It is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-407 (Algorithmic Complexity) and CWE-770 (Allocation of Resources Without Limits or Throttling).
An unauthenticated attacker with network access can exploit this vulnerability by accessing or inducing the viewing of diffs for merge requests containing conflicts. This triggers excessive resource consumption on the GitLab server, potentially leading to high availability impact such as slowdowns or service unavailability. No privileges, user interaction, or scope changes are required, making it accessible to remote attackers targeting publicly exposed GitLab instances.
GitLab advisories, detailed in issue tracker entry https://gitlab.com/gitlab-org/gitlab/-/issues/480867 and HackerOne report https://hackerone.com/reports/2650086, recommend upgrading to patched versions: 17.2.9 or later for the 17.2 branch, 17.3.5 or later for the 17.3 branch, and 17.4.2 or later for the 17.4 branch. No additional workarounds are specified in the provided references.
Details
- CWE(s)