CVE-2024-11274 – This vulnerability allows attackers to inject N... (How to Fix)

Q: What is the severity of CVE-2024-11274?

CVE-2024-11274 has a CVSS score of 8.7 (HIGH). This vulnerability allows attackers to inject NEL (Network Error Logging) headers into Kubernetes proxy responses in GitLab, potentially leading to session data exfiltration. All GitLab CE/EE instances running affected versions are vulnerable, particularly those using Kubernetes integration.

📋 TL;DR

This vulnerability allows attackers to inject NEL (Network Error Logging) headers into Kubernetes proxy responses in GitLab, potentially leading to session data exfiltration. All GitLab CE/EE instances running affected versions are vulnerable, particularly those using Kubernetes integration.

💻 Affected Systems

Products:

GitLab Community Edition
GitLab Enterprise Edition

Versions: 16.1 to 17.4.5, 17.5 to 17.5.3, 17.6 to 17.6.1

Operating Systems: All platforms running GitLab

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Kubernetes integration to be enabled and accessible.

📦 What is this software?

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could exfiltrate sensitive session data including authentication tokens, potentially leading to account takeover, data breaches, and lateral movement within the GitLab environment.

🟠

Likely Case

Session hijacking and unauthorized access to GitLab repositories, pipelines, and sensitive project data.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though session data could still be exposed.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires access to inject headers into k8s proxy responses, likely requiring some level of access to the GitLab environment.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 17.4.6, 17.5.4, 17.6.2

Vendor Advisory: https://gitlab.com/gitlab-org/gitlab/-/issues/504707

Restart Required: Yes

Instructions:

1. Backup GitLab instance. 2. Update to patched version using package manager (apt/yum) or Omnibus. 3. Restart GitLab services. 4. Verify update with gitlab-rake gitlab:env:info.

🔧 Temporary Workarounds

Disable Kubernetes Integration

linux

Temporarily disable GitLab Kubernetes agent server if not essential.

gitlab-rake gitlab:kubernetes:agent:disable

Restrict Network Access

linux

Limit network access to GitLab Kubernetes proxy endpoints.

iptables -A INPUT -p tcp --dport 8150 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate GitLab Kubernetes components
Enable enhanced logging and monitoring for suspicious header injection attempts

🔍 How to Verify

Check if Vulnerable:

Check GitLab version with: sudo gitlab-rake gitlab:env:info | grep 'GitLab version'

Check Version:

sudo gitlab-rake gitlab:env:info | grep 'GitLab version'

Verify Fix Applied:

Confirm version is 17.4.6+, 17.5.4+, or 17.6.2+ and test Kubernetes proxy functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual NEL header patterns in GitLab logs
Suspicious requests to /api/v4/internal/kubernetes endpoints

Network Indicators:

Unexpected outbound connections from GitLab to external domains following k8s proxy requests

SIEM Query:

source="gitlab" AND ("NEL" OR "kubernetes/agent" OR "session" AND "exfiltrat*")

📊 Metadata

CVE ID: CVE-2024-11274

CVSS v3 Score: 8.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-601

Published: December 12, 2024

Last Updated: July 11, 2025

🔗 References

https://gitlab.com/gitlab-org/gitlab/-/issues/504707 Exploit,Issue Tracking,Vendor Advisory
https://hackerone.com/reports/2813673 Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11274, you might also want to check these: