CVE-2024-4025: GitLab Markdown DoS Vulnerability

CVE-2024-4025 Overview

CVE-2024-4025 is a Denial of Service (DoS) vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). The flaw affects all versions from 7.10 before 16.11.5, version 17.0 before 17.0.3, and 17.1 before 17.1.1. An unauthenticated attacker can trigger the condition by submitting a crafted Markdown page that the server attempts to render. The issue is classified as Inefficient Regular Expression Complexity [CWE-1333], meaning specific input patterns cause disproportionate processing time. Successful exploitation degrades availability of the GitLab instance for legitimate users.

Critical Impact
A remote, unauthenticated attacker can exhaust GitLab server resources using a single crafted Markdown payload, disrupting service for all users of the instance.

Affected Products

GitLab CE/EE versions 7.10 through 16.11.4
GitLab CE/EE version 17.0 before 17.0.3
GitLab CE/EE version 17.1.0 (fixed in 17.1.1)

Discovery Timeline

2025-06-20 - CVE-2024-4025 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-4025

Vulnerability Analysis

The vulnerability resides in the GitLab Markdown rendering pipeline. GitLab processes user-supplied Markdown in numerous surfaces, including issues, merge requests, wiki pages, snippets, and comments. When the rendering engine encounters specifically structured input, it enters a pathological processing path that consumes excessive CPU time. The result is service degradation or unresponsiveness of the affected GitLab instance. Because Markdown rendering is exposed across many endpoints, the attack surface is broad.

Root Cause

The root cause is Inefficient Regular Expression Complexity [CWE-1333], commonly referred to as Regular Expression Denial of Service (ReDoS). One or more regex patterns used during Markdown parsing exhibit catastrophic backtracking when fed crafted input. The parsing routine fails to bound execution time or input length for the affected patterns. As input length or nesting grows linearly, processing time grows non-linearly, blocking worker threads handling the request.

Attack Vector

The attack is network-based and requires no authentication or user interaction when Markdown rendering is reachable by anonymous users, such as on public projects or public snippets. An attacker submits or links to content containing the crafted Markdown, then triggers rendering through normal page views or API calls. Repeating the request can occupy multiple Sidekiq or Puma workers, amplifying the impact. Confidentiality and integrity are unaffected; only availability is impacted.

No public proof-of-concept code has been verified. Refer to the GitLab Issue #457474 and the HackerOne Report #2024974 for vendor-tracked technical details.

Detection Methods for CVE-2024-4025

Indicators of Compromise

Sustained high CPU utilization on GitLab Rails or Sidekiq processes correlated with Markdown rendering requests.
HTTP 5xx responses or request timeouts on endpoints that render Markdown such as /issues, /merge_requests, /snippets, and wiki pages.
Repeated requests from a single source to Markdown-rendering endpoints with unusually large or deeply nested payloads.

Detection Strategies

Monitor GitLab application logs for slow request warnings and Rack::Timeout exceptions tied to Markdown rendering controllers.
Inspect reverse-proxy access logs for repeated POST or GET activity against issue, comment, and preview endpoints from the same client.
Alert on anomalous spikes in worker thread saturation or queue depth in Sidekiq metrics exposed via Prometheus.

Monitoring Recommendations

Track GitLab instance health metrics including CPU, memory, and request latency, with alerts on sustained anomalies.
Enable rate limiting on the Markdown preview API and authenticated comment submission endpoints.
Retain web server and application logs centrally for retrospective analysis of suspicious payload patterns.

How to Mitigate CVE-2024-4025

Immediate Actions Required

Upgrade GitLab CE/EE to version 16.11.5, 17.0.3, or 17.1.1 or later as appropriate for your branch.
Restrict anonymous access to Markdown-rendering endpoints where business requirements permit.
Apply rate limits at the reverse proxy or GitLab application level for endpoints that accept Markdown input.

Patch Information

GitLab released fixed versions 16.11.5, 17.0.3, and 17.1.1 addressing the inefficient regular expression. Self-managed administrators should follow the standard GitLab upgrade procedure for their installation method (Omnibus, Helm, source). GitLab.com instances were patched by the vendor. Confirm remediation by checking the running version with gitlab-rake gitlab:env:info or the /help page.

Workarounds

Place GitLab behind a Web Application Firewall (WAF) configured to block oversized or deeply nested Markdown payloads.
Lower request and worker timeouts so pathological renders are terminated before exhausting capacity.
Disable or restrict public project visibility on instances that cannot be patched immediately.

bash

# Verify installed GitLab version meets the patched baseline
sudo gitlab-rake gitlab:env:info | grep "GitLab information" -A 5

# Example NGINX rate limit for Markdown preview endpoint
# limit_req_zone $binary_remote_addr zone=mdpreview:10m rate=10r/m;
# location ~* /preview_markdown { limit_req zone=mdpreview burst=5 nodelay; }