CVE-2023-3994
📋 TL;DR
This vulnerability allows attackers to cause a Denial of Service (DoS) in GitLab by sending specially crafted payloads to the preview_markdown endpoint. The attack exploits inefficient regular expression processing in the ProjectReferenceFilter, causing excessive CPU consumption and service unavailability. All GitLab Community Edition (CE) and Enterprise Edition (EE) instances within affected version ranges are vulnerable.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to CPU exhaustion, potentially affecting all users and disrupting development workflows, CI/CD pipelines, and repository access.
Likely Case
Temporary service degradation or unavailability for targeted projects or users, requiring manual intervention to restore service.
If Mitigated
Minimal impact with proper rate limiting, request filtering, and monitoring in place to detect and block malicious payloads.
🎯 Exploit Status
Exploitation requires authentication (user account) but is straightforward with publicly available details. The HackerOne report provides technical specifics about crafting malicious payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.0.8, 16.1.3, or 16.2.2
Vendor Advisory: https://gitlab.com/gitlab-org/gitlab/-/issues/416225
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab 16.0.8, 16.1.3, or 16.2.2 depending on your current version. 3. For Omnibus installations: sudo gitlab-ctl stop, then follow upgrade instructions at https://docs.gitlab.com/ee/update/. 4. Restart services: sudo gitlab-ctl restart. 5. Verify the update with sudo gitlab-rake gitlab:env:info.
🔧 Temporary Workarounds
Rate Limit preview_markdown Endpoint
allImplement rate limiting on the /api/v4/markdown endpoint to reduce impact of repeated malicious requests.
Configure in GitLab's rate limiting settings or via web server (nginx/apache) rules.
Disable Preview Markdown for Non-Essential Users
allRestrict access to the preview_markdown endpoint using authentication or IP whitelisting.
Use GitLab application settings or firewall rules to limit access.
🧯 If You Can't Patch
- Monitor CPU usage and logs for abnormal spikes from the preview_markdown endpoint, and block suspicious IPs.
- Implement WAF rules to detect and block crafted payloads containing excessive regex patterns targeting ProjectReferenceFilter.
🔍 How to Verify
Check if Vulnerable:
Check your GitLab version: if it's between 9.3-16.0.7, 16.1.0-16.1.2, or 16.2.0-16.2.1, you are vulnerable.Check Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Verify Fix Applied:
After patching, verify version is 16.0.8, 16.1.3, or 16.2.2 or higher, and test that preview_markdown functions normally without CPU spikes.📡 Detection & Monitoring
Log Indicators:
- High CPU usage logs, repeated requests to /api/v4/markdown, error logs related to regex timeouts or ProjectReferenceFilter.
Network Indicators:
- Unusual traffic patterns to the preview_markdown endpoint, especially with crafted payloads.
SIEM Query:
source='gitlab.logs' AND (url_path='/api/v4/markdown' AND (cpu_usage>90 OR response_time>10s))