CVE-2024-9631

CVE-2024-9631 is a denial-of-service vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE), affecting all versions starting from 13.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2. The issue arises when viewing diffs of merge requests (MRs) with conflicts, which can cause significant performance degradation due to inefficient resource handling. It is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-407 (Algorithmic Complexity) and CWE-770 (Allocation of Resources Without Limits or Throttling).

An unauthenticated attacker with network access can exploit this vulnerability by accessing or inducing the viewing of diffs for merge requests containing conflicts. This triggers excessive resource consumption on the GitLab server, potentially leading to high availability impact such as slowdowns or service unavailability. No privileges, user interaction, or scope changes are required, making it accessible to remote attackers targeting publicly exposed GitLab instances.

GitLab advisories, detailed in issue tracker entry https://gitlab.com/gitlab-org/gitlab/-/issues/480867 and HackerOne report https://hackerone.com/reports/2650086, recommend upgrading to patched versions: 17.2.9 or later for the 17.2 branch, 17.3.5 or later for the 17.3 branch, and 17.4.2 or later for the 17.4 branch. No additional workarounds are specified in the provided references.