CVE-2024-4994
📋 TL;DR
This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in GitLab's GraphQL API that allows attackers to trick authenticated users into executing arbitrary GraphQL mutations. This affects all GitLab CE/EE instances running vulnerable versions, potentially allowing unauthorized actions on behalf of legitimate users.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary GraphQL mutations as authenticated users, potentially leading to data theft, repository manipulation, user account compromise, or system takeover depending on available mutations.
Likely Case
Attackers could perform unauthorized actions such as modifying repository settings, changing user permissions, or exfiltrating sensitive data through crafted GraphQL requests.
If Mitigated
With proper CSRF protections and security headers, the attack surface is significantly reduced, though the vulnerability still exists in the underlying code.
🎯 Exploit Status
Exploitation requires tricking an authenticated user into visiting a malicious page. The vulnerability is in the GraphQL API endpoint which typically requires authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.11.5, 17.0.3, 17.1.1
Vendor Advisory: https://gitlab.com/gitlab-org/gitlab/-/issues/462012
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab 16.11.5, 17.0.3, or 17.1.1 depending on your current version. 3. Restart GitLab services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Enable CSRF Protection Headers
linuxConfigure additional CSRF protection headers to reduce attack surface
# In GitLab configuration (gitlab.rb):
# gitlab_rails['content_security_policy'] = true
# gitlab_rails['content_security_policy']['frame_ancestors'] = "'self'"
# Restart GitLab after configuration changes
🧯 If You Can't Patch
- Implement strict SameSite cookie policies and CSRF tokens for all GraphQL requests
- Restrict GraphQL API access to trusted networks only using firewall rules
🔍 How to Verify
Check if Vulnerable:
Check GitLab version via admin panel or command: sudo gitlab-rake gitlab:env:info | grep VersionCheck Version:
sudo gitlab-rake gitlab:env:info | grep VersionVerify Fix Applied:
Verify version is 16.11.5 or higher, 17.0.3 or higher, or 17.1.1 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual GraphQL mutation patterns from unexpected sources
- CSRF token validation failures in application logs
- Multiple failed authentication attempts followed by successful GraphQL requests
Network Indicators:
- GraphQL POST requests without proper referer headers
- Requests to /api/graphql endpoint with suspicious mutation payloads
SIEM Query:
source="gitlab" AND ("GraphQL" OR "mutation") AND status=200 AND (NOT referer="*gitlab*")