Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-2829

CVE-2024-2829: GitLab FileFinder DoS Vulnerability

CVE-2024-2829 is a denial of service vulnerability in GitLab CE/EE FileFinder caused by crafted wildcard filters. Attackers can disrupt service availability. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2024-2829 Overview

CVE-2024-2829 is a denial of service vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). The flaw resides in the FileFinder component, where a crafted wildcard filter triggers inefficient regular expression processing. An unauthenticated attacker can exploit this remotely over the network to exhaust server resources and disrupt GitLab availability. The vulnerability is classified under CWE-1333: Inefficient Regular Expression Complexity. GitLab assigned this issue a high severity rating and released fixes across three supported branches.

Critical Impact

An unauthenticated attacker can send crafted wildcard filters to FileFinder, causing resource exhaustion and a denial of service against GitLab instances.

Affected Products

  • GitLab CE/EE versions 12.5 through 16.9.5
  • GitLab CE/EE versions 16.10 through 16.10.3
  • GitLab CE/EE versions 16.11.0

Discovery Timeline

  • 2024-04-25 - CVE-2024-2829 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-2829

Vulnerability Analysis

The vulnerability affects the FileFinder functionality in GitLab CE/EE. FileFinder allows users to locate files within a repository using filter expressions, including wildcard patterns. The underlying implementation processes these wildcard filters using regular expressions that exhibit catastrophic backtracking behavior on malicious input. When an attacker submits a crafted wildcard pattern, the regex engine consumes excessive CPU cycles attempting to evaluate exponential combinations of possible matches. This blocks worker processes and degrades performance across the GitLab instance, ultimately producing a denial of service condition.

Root Cause

The root cause is inefficient regular expression complexity [CWE-1333], commonly called ReDoS (Regular Expression Denial of Service). The FileFinder filter parser does not enforce bounds on pattern complexity or matching time before delegating input to the regex engine. Patterns containing nested quantifiers or ambiguous wildcard sequences cause the engine to evaluate redundant match paths, leading to exponential time complexity.

Attack Vector

The vulnerability is exploitable over the network without authentication or user interaction. An attacker submits a malicious wildcard filter to FileFinder through the GitLab web interface or API endpoints that accept file search parameters. The crafted pattern triggers prolonged regex evaluation on the server, consuming CPU resources. Repeated requests amplify the impact, exhausting available worker capacity. Confidentiality and integrity are not affected, but availability is compromised. See the GitLab Issue Report and the HackerOne Vulnerability Report for additional technical context.

Detection Methods for CVE-2024-2829

Indicators of Compromise

  • Sustained high CPU usage on GitLab Rails or Sidekiq workers without corresponding legitimate workload increases.
  • HTTP requests to file search or FileFinder endpoints containing unusual wildcard sequences such as repeated * characters or nested quantifiers.
  • Worker timeouts, request queueing, and 502/504 responses correlated with file search activity.

Detection Strategies

  • Inspect GitLab production.log and application.log for slow requests to file search endpoints exceeding normal response time baselines.
  • Monitor request patterns from individual IPs targeting FileFinder with abnormal filter parameters and correlate with CPU spikes.
  • Deploy web application firewall (WAF) rules that flag wildcard filter parameters containing pathological regex constructs.

Monitoring Recommendations

  • Track per-endpoint latency metrics for repository search functionality and alert on sustained deviations.
  • Configure resource utilization alerts on GitLab application servers tied to Unicorn/Puma worker saturation.
  • Aggregate WAF and reverse proxy logs into a centralized SIEM for correlation across multiple GitLab nodes.

How to Mitigate CVE-2024-2829

Immediate Actions Required

  • Upgrade GitLab CE/EE to a patched version: 16.9.6, 16.10.4, or 16.11.1 or later.
  • Restrict network exposure of GitLab instances to trusted networks where feasible until patching completes.
  • Apply rate limiting on file search and repository search endpoints to reduce ReDoS amplification.

Patch Information

GitLab released fixes in versions 16.9.6, 16.10.4, and 16.11.1. Self-managed GitLab administrators should follow standard upgrade procedures documented by GitLab. GitLab.com instances were patched by the vendor. Refer to the GitLab Issue Report for advisory details.

Workarounds

  • Place GitLab behind a WAF configured to reject requests containing pathological wildcard patterns in file search parameters.
  • Lower per-request CPU and timeout limits at the reverse proxy layer to terminate long-running search requests early.
  • Restrict access to repository search functionality to authenticated users where business requirements allow.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne