GitLab CE/EE Denial-of-Service Vulnerability Due to Cyclic Epic References

A denial-of-service vulnerability has been identified in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 15.7 prior to 17.5.5, 17.6 prior to 17.6.3, and 17.7 prior to 17.7.1. The issue arises from the ability to create cyclic references between epics, leading to resource exhaustion. This can be exploited by authenticated users on the affected GitLab instance.

Impact

Exploitation of this vulnerability causes a significant increase in CPU usage due to a background job running in an infinite loop, which can disrupt normal operations. Additionally, it causes a 500 error to be returned when accessing the details of the affected epics, impacting all users who try to view them.

Reproduction

To reproduce this vulnerability, create a project and four epics. Set up a cyclic reference by linking the epics in a way that creates a loop. After the cyclic reference is established, the GraphQL API will return a 500 error for any user accessing the affected epics, and the background job will consume 100% of the CPU resources.

Remediation

GitLab has released patches for this vulnerability in versions 17.7.1, 17.6.3, and 17.5.5. It is recommended to upgrade to one of these versions immediately.