GitLab CE/EE Denial-of-Service Vulnerability via Infinite Redirect Loop

A denial-of-service vulnerability has been identified in GitLab CE/EE versions 17.7 prior to 17.10.8, 17.11 prior to 17.11.4, and 18.0 prior to 18.0.2. This vulnerability allows an attacker to create an infinite redirect loop by manipulating the 'format' parameter, particularly when set to 'git'. The endless redirects can overwhelm the server, causing it to reboot, and disrupt normal user activity on the GitLab instance.

Impact

Exploitation of this vulnerability leads to an infinite redirect loop, causing a high volume of requests that can overwhelm the server. This not only disrupts service by occupying server resources but also causes the GitLab instance to reboot, temporarily halting all operations. Such behavior can be particularly damaging in a shared environment, where it affects all users on the platform.

Reproduction

The vulnerability can be reproduced by sending a GET request to a GitLab project URL with the 'format' parameter set to 'git'. This can be done manually through a web browser or automated using a script that simulates the same request. The infinite redirect loop can be observed by monitoring the response headers, which will show a continuous series of 302 redirect responses. Additionally, this issue can be exploited using a bash script that sends a high volume of requests, effectively causing a denial-of-service condition by overwhelming the server and forcing it to reboot.

Remediation

Users can update to GitLab versions 17.10.8, 17.11.4, or 18.0.2 to address this vulnerability.