CVE-2024-2800 Overview
CVE-2024-2800 is a regular expression denial of service (ReDoS) vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). The flaw resides in the RefMatcher component used to match branch names against wildcard patterns. An unauthenticated remote attacker can trigger catastrophic regex backtracking by submitting crafted branch name patterns, exhausting CPU resources on the GitLab instance.
The vulnerability affects all GitLab versions from 11.3 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. The issue is tracked under CWE-1333: Inefficient Regular Expression Complexity.
Critical Impact
Remote attackers can cause denial of service against GitLab instances without authentication by exploiting regex backtracking in branch name matching.
Affected Products
- GitLab Community Edition (CE) versions 11.3 through 17.0.5
- GitLab Enterprise Edition (EE) versions 17.1 through 17.1.3
- GitLab CE/EE versions 17.2 through 17.2.1
Discovery Timeline
- 2024-08-08 - CVE-2024-2800 published to the National Vulnerability Database
- 2024-09-18 - Last updated in NVD database
Technical Details for CVE-2024-2800
Vulnerability Analysis
The vulnerability stems from inefficient regular expression handling in the RefMatcher class, which evaluates Git reference names against user-supplied wildcard patterns. When the matcher processes specially crafted branch name patterns, the underlying regex engine enters a state of catastrophic backtracking. This consumes significant CPU time and blocks request-processing threads.
GitLab uses RefMatcher in workflows such as protected branch enforcement, push rules, and merge request validation. Because branch name patterns can be supplied through standard repository operations, attackers do not require elevated privileges. The result is exhaustion of worker processes that handle Git operations, degrading availability for legitimate users.
Root Cause
The root cause is a regex pattern in RefMatcher that contains nested quantifiers or overlapping alternations without anchoring constraints. When matched against adversarial input, the regex engine explores an exponential number of paths before failing. This pattern complexity falls under [CWE-1333].
Attack Vector
An attacker submits a crafted branch name or wildcard pattern through any GitLab interface that invokes RefMatcher. Triggering paths include Git push operations, REST/GraphQL API calls that configure protected branches, and merge request creation. The attack requires no authentication in configurations where these features are publicly reachable. Repeated requests amplify CPU exhaustion across worker pools.
No verified public exploit code is available for this issue. Technical context is documented in the GitLab Issue Tracker Entry and HackerOne Report #2416332.
Detection Methods for CVE-2024-2800
Indicators of Compromise
- Sustained CPU saturation on GitLab Rails or Sidekiq worker processes without a corresponding increase in legitimate request volume.
- Slow or timing-out Git operations, particularly those involving protected branch checks or push rules.
- Repeated requests from a single source containing unusually long or pathological branch name patterns.
- Application logs showing extended request durations tied to RefMatcher or branch matching code paths.
Detection Strategies
- Monitor request latency percentiles for endpoints handling branch operations and protected branch configuration.
- Alert on Rails worker timeouts or Unicorn/Puma request kills that correlate with branch-related controller actions.
- Inspect web server access logs for branch name parameters exceeding reasonable length thresholds.
Monitoring Recommendations
- Forward GitLab application logs, Sidekiq logs, and reverse proxy logs to a centralized logging platform for correlation.
- Track baseline CPU and memory metrics for GitLab application nodes and trigger alerts on sustained anomalies.
- Review audit events for unusual branch protection configuration activity, particularly from unauthenticated or low-privilege sources.
How to Mitigate CVE-2024-2800
Immediate Actions Required
- Upgrade GitLab CE/EE to version 17.0.6, 17.1.4, 17.2.2, or later as appropriate for your release branch.
- Audit GitLab instances exposed to the public internet and restrict access to authenticated users where feasible.
- Apply rate limiting at the reverse proxy or load balancer to limit the volume of branch-related operations per client.
Patch Information
GitLab released fixes in versions 17.0.6, 17.1.4, and 17.2.2. Administrators should follow standard GitLab upgrade procedures and verify version output via gitlab-rake gitlab:env:info after upgrading. See the GitLab Issue Tracker Entry for additional fix details.
Workarounds
- Place GitLab behind a web application firewall configured to reject excessively long branch name parameters.
- Restrict GitLab API and Git access to authenticated networks using IP allowlisting until patches are deployed.
- Reduce Rails request timeouts to fail fast on pathological regex evaluations and free worker capacity.
# Verify GitLab version after upgrade
sudo gitlab-rake gitlab:env:info | grep "GitLab information" -A 5
# Example NGINX rate limit for branch-related endpoints
# limit_req_zone $binary_remote_addr zone=gitlab_branches:10m rate=10r/s;
# location ~ /api/v4/projects/.*/repository/branches { limit_req zone=gitlab_branches burst=20; }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
