GitLab CE/EE Merge Request Diff Handling Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in GitLab CE/EE versions 13.6 prior to 17.2.9, 17.3 prior to 17.3.5, and 17.4 prior to 17.4.2. The issue arises when viewing merge request diffs that have conflicts, causing a significant delay in processing time. This vulnerability can be exploited by sending repeated unauthenticated requests for diff files of a commit or merge request, which consumes considerable CPU resources and can make the GitLab instance unresponsive to legitimate users.

Impact

Exploitation of this vulnerability can lead to a complete service outage on the affected GitLab instance, causing it to become unresponsive to users.

Reproduction

The vulnerability can be reproduced by sending unauthenticated requests to the 'diff_files' endpoint of a commit or merge request that has a large number of changes. This can be done manually or automated with a script. The 'diffs_batch.json' endpoint of merge requests is also affected, but this issue is separate and related to a different root cause.

Remediation

Users can update to GitLab versions 17.6.2 or 17.7 to address this vulnerability.