CVE-2024-9631 – This vulnerability in GitLab CE/EE causes perfo... (How to Fix)

Q: What is the severity of CVE-2024-9631?

CVE-2024-9631 has a CVSS score of 7.5 (HIGH). This vulnerability in GitLab CE/EE causes performance degradation when viewing diffs of merge requests with conflicts, potentially leading to denial of service through resource exhaustion. All GitLab instances running affected versions are impacted. The issue stems from inefficient algorithmic complexity (CWE-407) in conflict resolution logic.

📋 TL;DR

This vulnerability in GitLab CE/EE causes performance degradation when viewing diffs of merge requests with conflicts, potentially leading to denial of service through resource exhaustion. All GitLab instances running affected versions are impacted. The issue stems from inefficient algorithmic complexity (CWE-407) in conflict resolution logic.

💻 Affected Systems

Products:

GitLab Community Edition
GitLab Enterprise Edition

Versions: 13.6 to 17.2.8, 17.3 to 17.3.4, 17.4 to 17.4.1

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with merge request functionality enabled are affected. Self-managed and GitLab.com SaaS instances are both vulnerable.

📦 What is this software?

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could repeatedly trigger diff viewing on conflicted merge requests to exhaust server resources, causing complete service unavailability and disrupting all GitLab operations.

🟠

Likely Case

Legitimate users viewing diffs on complex merge requests experience significant slowdowns, reduced productivity, and potential timeouts that prevent code review completion.

🟢

If Mitigated

With proper monitoring and resource limits, impact is limited to temporary performance degradation for specific users viewing conflicted diffs.

🌐 Internet-Facing: MEDIUM - Attackers could target public GitLab instances to cause service disruption, but requires authenticated access to create/view merge requests.

🏢 Internal Only: MEDIUM - Internal users could inadvertently or intentionally trigger the slowdown, affecting team productivity and system performance.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated user access to create/view merge requests with conflicts. No public exploit code exists, but the vulnerability is well-documented in GitLab's issue tracker.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 17.2.9, 17.3.5, 17.4.2 or later

Vendor Advisory: https://gitlab.com/gitlab-org/gitlab/-/issues/480867

Restart Required: No

Instructions:

1. Backup your GitLab instance. 2. Update to GitLab 17.2.9, 17.3.5, or 17.4.2 depending on your current version track. 3. Follow GitLab's official upgrade documentation for your deployment method (Omnibus, Helm, source). 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable merge request diff viewing

all

Temporarily restrict access to merge request diff functionality to prevent exploitation

# Configure GitLab to restrict merge request access
# Edit gitlab.rb: gitlab_rails['gitlab_default_projects_features_merge_requests'] = false
# Then reconfigure: gitlab-ctl reconfigure

Implement rate limiting

all

Add rate limiting on merge request endpoints to prevent repeated triggering

# Configure rate limiting in gitlab.rb:
gitlab_rails['rate_limiting_enabled'] = true
gitlab_rails['rate_limiting_requests_per_period'] = 10
gitlab_rails['rate_limiting_period'] = 60
# Then: gitlab-ctl reconfigure

🧯 If You Can't Patch

Implement strict access controls to limit who can create/view merge requests
Monitor system resources and set up alerts for abnormal CPU/memory usage patterns

🔍 How to Verify

Check if Vulnerable:

Check your GitLab version via Admin Area or command line. If version falls within affected ranges, you are vulnerable.

Check Version:

sudo gitlab-rake gitlab:env:info | grep 'Version:' or check Admin Area → Overview → Dashboard

Verify Fix Applied:

After patching, verify version is 17.2.9+, 17.3.5+, or 17.4.2+. Test viewing diffs of merge requests with conflicts to confirm normal performance.

📡 Detection & Monitoring

Log Indicators:

Slow response times for merge request diff endpoints in production.log
High CPU usage correlated with merge request viewing in sidekiq.log

Network Indicators:

Increased HTTP 504 timeout errors on /merge_requests/*/diffs endpoints
Abnormally long response times for GET requests to merge request pages

SIEM Query:

source="gitlab.logs" ("GET /merge_requests" AND response_time>5000) OR ("Processing by Projects::MergeRequestsController#diffs" AND duration>5s)

📊 Metadata

CVE ID: CVE-2024-9631

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-407

EPSS Score: 0.1% exploit probability (26.8th percentile)

Published: February 5, 2025

Last Updated: August 6, 2025

🔗 References

https://gitlab.com/gitlab-org/gitlab/-/issues/480867 Exploit,Issue Tracking
https://hackerone.com/reports/2650086 Permissions Required
https://gitlab.com/gitlab-org/gitlab/-/issues/480867 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9631, you might also want to check these: