CVE-2022-2455 in Community Editioninfo

Summary

by MITRE • 10/17/2022

A business logic issue in the handling of large repositories in all versions of GitLab CE/EE from 10.0 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2 allowed an authenticated and authorized user to exhaust server resources by importing a malicious project.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 05/25/2026

This vulnerability represents a significant business logic flaw in GitLab's repository import functionality that enables authenticated users to consume excessive server resources through malicious project imports. The issue affects all versions of GitLab Community Edition and Enterprise Edition from version 10.0 up to and including 15.1.5, as well as versions starting from 15.2.0 through 15.2.3 and versions starting from 15.3.0 through 15.3.1. The vulnerability stems from inadequate resource validation and handling during the project import process, specifically when dealing with large repositories that contain maliciously crafted data structures.

The technical implementation of this vulnerability exploits the lack of proper resource limits and input validation during repository import operations. When an authenticated user imports a malicious project, the system fails to properly constrain memory and processing resources consumed during the import process, allowing the attacker to craft repository content that triggers excessive resource consumption patterns. This business logic flaw operates at the application layer and can be classified under CWE-775, which deals with missing resource cleanup or improper resource handling in business logic flows. The vulnerability enables a form of resource exhaustion attack that can impact system availability and performance for legitimate users.

The operational impact of this vulnerability extends beyond simple performance degradation to potentially causing system instability and denial of service conditions. An authenticated attacker with appropriate permissions can consume significant server resources including memory, cpu cycles, and disk space, which can lead to system slowdowns, application unresponsiveness, or complete service disruption. This represents a critical security concern because it allows users with legitimate access to cause harm to the overall system availability, effectively creating a privilege escalation scenario where authorized users can perform unauthorized resource exhaustion attacks. The attack vector requires only authentication, making it particularly dangerous as it can be exploited by insiders or compromised accounts.

Mitigation strategies should focus on implementing comprehensive resource limits and validation checks during repository import operations. System administrators should immediately upgrade to patched versions of GitLab, specifically versions 15.1.6, 15.2.4, and 15.3.2 or later, which contain the necessary fixes for this vulnerability. Additional defensive measures include implementing import size limits, monitoring resource consumption during import operations, and establishing automated alerting for unusual resource usage patterns. Organizations should also consider implementing rate limiting for import operations and conducting regular security assessments of their GitLab installations to identify similar business logic flaws. From an att&ck framework perspective, this vulnerability maps to techniques involving privilege escalation and denial of service, specifically targeting the resource exhaustion category where adversaries leverage legitimate system functionality to cause system instability and availability issues.

Responsible

GitLab Inc.

Reservation

07/18/2022

Disclosure

10/17/2022

Moderation

accepted

CPE

ready

EPSS

0.00996

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!