CVE-2024-6324 Overview
A Denial of Service (DoS) vulnerability was discovered in GitLab Community Edition (CE) and Enterprise Edition (EE) affecting all versions starting from 15.7 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. The vulnerability allows authenticated attackers to trigger resource exhaustion by creating cyclic references between epics, potentially degrading or disrupting GitLab service availability.
Critical Impact
Authenticated users can cause service degradation or denial of service by exploiting improper handling of cyclic epic references, leading to resource exhaustion on affected GitLab instances.
Affected Products
- GitLab Community Edition (CE) versions 15.7 to 17.5.4
- GitLab Enterprise Edition (EE) versions 15.7 to 17.5.4
- GitLab CE/EE versions 17.6 to 17.6.2
- GitLab CE/EE versions 17.7 to 17.7.0
Discovery Timeline
- 2025-01-08 - GitLab releases security patch in version 17.7.1
- 2025-01-09 - CVE-2024-6324 published to NVD
- 2025-08-05 - Last updated in NVD database
Technical Details for CVE-2024-6324
Vulnerability Analysis
This vulnerability falls under the category of Algorithmic Complexity Attack (CWE-407), which occurs when an algorithm's worst-case computational complexity can be triggered by specially crafted input. In GitLab's epics feature, the application fails to properly validate and prevent cyclic relationships between epics when establishing parent-child hierarchies.
When a user creates a cyclic reference (e.g., Epic A is parent of Epic B, which is parent of Epic A), the system enters an infinite or deeply recursive traversal loop when attempting to resolve the epic hierarchy. This leads to CPU and memory resource exhaustion on the GitLab server.
The vulnerability requires authenticated access with permissions to create and modify epics, which limits the attack surface to legitimate users or compromised accounts. However, a single malicious request can significantly impact service availability for all users of the affected GitLab instance.
Root Cause
The root cause is insufficient validation in GitLab's epic relationship management code. When epics are linked in a parent-child relationship, the system does not adequately check for cycles in the dependency graph before accepting the relationship. This missing cycle detection allows users to create circular references that cause infinite loops during hierarchy traversal operations.
Attack Vector
The attack exploits GitLab's epic management functionality through the web interface or API. An authenticated attacker with appropriate permissions can:
- Create two or more epics within a project or group
- Establish a parent-child relationship between the epics
- Manipulate the relationships to create a cyclic dependency
- Trigger any operation that requires traversing the epic hierarchy, causing the server to enter an infinite loop or extremely deep recursion
The vulnerability is exploitable over the network, requires low attack complexity, and needs authenticated access with standard user privileges. No user interaction is required beyond the attacker's own actions. Technical details about the specific exploitation method can be found in the HackerOne Report #2553716 and GitLab Issue #468914.
Detection Methods for CVE-2024-6324
Indicators of Compromise
- Unusual CPU spikes or sustained high CPU utilization on GitLab application servers
- Memory exhaustion events correlated with epic-related API requests
- GitLab worker processes becoming unresponsive or timing out
- Audit logs showing repeated modifications to epic parent-child relationships by the same user
Detection Strategies
- Monitor GitLab application logs for errors related to epic hierarchy traversal or recursion limits
- Implement alerting for abnormal resource consumption patterns on GitLab servers
- Review audit logs for suspicious patterns of epic creation and relationship modification
- Configure application performance monitoring to detect long-running epic-related database queries
Monitoring Recommendations
- Enable comprehensive audit logging for epic management operations in GitLab
- Set up resource utilization thresholds and alerts for GitLab server CPU and memory
- Monitor database query execution times for epic-related operations
- Implement rate limiting on epic modification endpoints as an additional control
How to Mitigate CVE-2024-6324
Immediate Actions Required
- Upgrade GitLab CE/EE to version 17.5.5, 17.6.3, or 17.7.1 or later immediately
- Review recent epic modifications for potential exploitation attempts
- Ensure GitLab instance resource limits and monitoring are properly configured
- Audit user permissions to restrict epic management access where appropriate
Patch Information
GitLab has released patches addressing this vulnerability in the following versions:
- 17.5.5 for the 17.5.x release track
- 17.6.3 for the 17.6.x release track
- 17.7.1 for the 17.7.x release track
Organizations should upgrade to the latest patched version for their release track. Detailed information about the patch is available in the GitLab Patch Release Notes.
Workarounds
- Restrict access to epic creation and modification features to trusted users only
- Implement network-level rate limiting for GitLab API endpoints related to epics
- Configure resource limits (CPU, memory, request timeouts) for GitLab worker processes
- Monitor and alert on unusual patterns of epic relationship modifications
# Check current GitLab version
gitlab-rake gitlab:env:info
# Upgrade GitLab to patched version (example for Omnibus installation)
apt-get update && apt-get install gitlab-ee=17.7.1-ee.0
# Reconfigure GitLab after upgrade
gitlab-ctl reconfigure
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
