CVE-2024-8124: GitLab CE/EE DoS Vulnerability

CVE-2024-8124 Overview

CVE-2024-8124 is a denial-of-service vulnerability affecting GitLab Community Edition (CE) and Enterprise Edition (EE). The flaw allows an unauthenticated attacker to trigger resource exhaustion by sending a specifically crafted POST request to a vulnerable GitLab instance. The issue is classified under [CWE-1333] (Inefficient Regular Expression Complexity) and impacts a wide range of GitLab releases from version 16.4 onward.

GitLab released fixes in versions 17.1.7, 17.2.5, and 17.3.2 on September 11, 2024. The vulnerability carries network-based exploitability with no authentication or user interaction required, making exposed self-managed GitLab instances the primary risk surface.

Critical Impact
Unauthenticated attackers can render GitLab CE/EE instances unavailable by submitting a single crafted POST request, disrupting source code management, CI/CD pipelines, and DevOps workflows.

Affected Products

GitLab CE/EE versions 16.4 up to (but not including) 17.1.7
GitLab CE/EE versions 17.2 up to (but not including) 17.2.5
GitLab CE/EE versions 17.3 up to (but not including) 17.3.2

Discovery Timeline

2024-09-11 - GitLab releases patched versions 17.1.7, 17.2.5, and 17.3.2
2024-09-12 - CVE-2024-8124 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-8124

Vulnerability Analysis

The vulnerability resides in GitLab's handling of a specific POST endpoint where untrusted input is processed in a way that consumes disproportionate server resources. Mapped to [CWE-1333], the issue stems from inefficient regular expression evaluation that exhibits worst-case algorithmic complexity when fed adversarial input. An attacker can therefore force the GitLab Rails application to spend excessive CPU cycles on a single request.

Because the attack requires no authentication and no user interaction, any internet-reachable GitLab instance running an affected version is exposed. The Exploit Prediction Scoring System (EPSS) places this CVE in the 98th percentile, indicating relatively high likelihood of exploitation activity compared to other vulnerabilities. Successful exploitation impacts availability only, with no direct effect on confidentiality or integrity of repository data.

Root Cause

The root cause is inefficient regular expression complexity, commonly referred to as Regular Expression Denial of Service (ReDoS). When a regex pattern with catastrophic backtracking behavior receives crafted input, evaluation time grows non-linearly with input size. In GitLab's case, the vulnerable POST handler invokes such a pattern against attacker-controlled data, allowing a single request to monopolize a worker process.

Attack Vector

The attack vector is network-based. An attacker sends an HTTP POST request containing a payload engineered to trigger the pathological regex behavior on the targeted GitLab endpoint. Repeated requests can exhaust the Puma/Unicorn worker pool, causing the instance to stop responding to legitimate users and CI/CD agents. Technical details for the specific endpoint and payload are referenced in GitLab Issue #480533 and HackerOne Report #2634880.

Detection Methods for CVE-2024-8124

Indicators of Compromise

Sustained spikes in CPU utilization on GitLab Rails/Puma worker processes correlated with inbound POST traffic.
HTTP 5xx responses, request timeouts, and worker restarts in production.log and gitlab-rails logs.
Repeated POST requests from a single source to the same endpoint with unusually large or pattern-heavy payloads.

Detection Strategies

Inspect GitLab access logs for anomalous POST request volumes, abnormal request durations, or repeated requests from a single client IP.
Correlate web application firewall (WAF) telemetry with backend CPU saturation events to identify ReDoS-style traffic.
Compare the running GitLab version against the patched versions 17.1.7, 17.2.5, and 17.3.2 to confirm exposure.

Monitoring Recommendations

Establish baseline metrics for GitLab worker CPU, request latency, and 5xx error rates, and alert on deviations.
Forward GitLab application, NGINX, and system logs to a centralized analytics platform for correlation with network telemetry.
Continuously monitor exposure of the GitLab web interface and API to untrusted networks, restricting where business requirements allow.

How to Mitigate CVE-2024-8124

Immediate Actions Required

Upgrade self-managed GitLab CE/EE instances to 17.3.2, 17.2.5, or 17.1.7 (or later) without delay.
Audit network exposure of GitLab endpoints and restrict access to trusted networks or VPN users where possible.
Review recent access logs for suspicious POST patterns predating the upgrade to identify prior exploitation attempts.

Patch Information

GitLab addressed CVE-2024-8124 in the patch release announced on September 11, 2024. Apply the fixed versions referenced in the GitLab Patch Release Announcement. GitLab.com SaaS tenants were updated by GitLab; self-managed administrators must apply the patch manually.

Workarounds

Place GitLab behind a WAF or reverse proxy configured with strict request size limits and rate limiting on POST endpoints.
Enforce per-IP connection and request rate limits at the load balancer to constrain the impact of repeated abusive requests.
Restrict unauthenticated access to GitLab where feasible, requiring SSO or VPN to reach the application tier.

bash

# Example NGINX rate limiting in front of GitLab
http {
    limit_req_zone $binary_remote_addr zone=gitlab_post:10m rate=10r/s;

    server {
        listen 443 ssl;
        server_name gitlab.example.com;

        location / {
            limit_req zone=gitlab_post burst=20 nodelay;
            client_max_body_size 1m;
            proxy_pass http://gitlab_upstream;
        }
    }
}