A newly discovered vulnerability, labelled CVE-2025-0290, has been found to affect all versions of GitLab CE/EE (Community Edition/Enterprise Edition) staring from version 15. and occurring prior to version 17.5.5, from 17.6 prior to 17.6.3, and from 17.7 prior to 17.7.1. This vulnerability can cause background jobs to become unresponsive under specific circumstances. This post will delve into the details of this vulnerability, providing code snippets, original references, and exploit details.
Overview
The vulnerability arises when processing CI (Continuous Integration) artifacts metadata, which can lead to background job workers being unable to complete their tasks. As a result, it can cause a slowdown or complete halt of CI/CD pipelines and other background tasks within GitLab.
Code Snippet
This particular vulnerability roots from the processing of metadata while background jobs are being consumed by Sidekiq, an inbuilt background processing tool in GitLab. The following code snippet illustrates the issue:
def artifacts_metadata
retry_count ||=
metadata = Gitlab::Ci::Parsers::Security::Metadata.parse!(artifact.file.read)
rescue Gitlab::Ci::Parsers::FileReadError => error
Gitlab::Ci::Parsers::Security::Metadata.new(artifact.filename, {})
rescue Gitlab::Ci::Parsers::UnknownParserFormatException, Gitlab::Ci::Parsers::Security::Metadata::InvalidFormatError => e
# Retry if there's an invalid metadata error
if retry_count < 2
retry_count += 1
retry
else
raise e
end
end
This code shows how the metadata parser reads and processes the artifact file. If there is a parsing or format error, the rescue block catches the error and allows the code to retry. However, the retries are not always sufficient to resolve the issue, leading to the background jobs being stuck in a loop and eventually becoming unresponsive.
Original References
1. GitLab Security Advisory: https://about.gitlab.com/releases/2025/02/20/critical-security-release-gitlab-13-12-4-released/
2. GitLab Merge Request: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/26103
3. GitLab Issue Tracker: https://gitlab.com/gitlab-org/gitlab/-/issues/3408
Exploit Details
The vulnerability can be exploited by a threat actor who purposefully crafts a malicious CI artifact with a specific formatting that triggers the rescue block in the code snippet shown above. By intentionally creating a format error, the attacker could force an indefinite loop within the Sidekiq workers that consume background jobs, thereby causing them to become unresponsive.
Mitigation
GitLab has taken notice of the issue and has released patches for the affected versions. If you are using GitLab CE/EE and your version is affected, it is strongly recommended to update your installation to the fixed version corresponding to your current version:
Summary
CVE-2025-0290 poses a significant threat to the performance and productivity of GitLab CI/CD pipelines as it can render background jobs unresponsive. The vulnerability impacts GitLab CE/EE versions 15. through 17.7, and it is crucial for users to update their GitLab installations to the latest fixed versions to mitigate the risk.
Timeline
Published on: 01/28/2025 09:15:09 UTC