CVE-2023-1072 in GitLab
Summary
by MITRE • 03/10/2023
An issue has been discovered in GitLab affecting all versions starting from 9.0 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. It was possible to trigger a resource depletion attack due to improper filtering for number of requests to read commits details.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 08/11/2025
This vulnerability in GitLab represents a critical resource exhaustion flaw that enables attackers to consume excessive system resources through carefully crafted requests to commit details endpoints. The issue stems from inadequate request rate limiting and input validation mechanisms within the GitLab application's commit reading functionality, allowing malicious actors to perform sustained resource depletion attacks against affected systems. The vulnerability affects a broad range of GitLab versions including 9.0 through 15.7.7, 15.8.0 through 15.8.3, and 15.9.0 through 15.9.1, indicating a long-standing flaw that persisted across multiple major releases. The improper filtering of commit request numbers creates a pathway for attackers to continuously query commit details without adequate rate limiting, potentially leading to denial of service conditions that impact legitimate users and system performance.
The technical implementation of this vulnerability exposes fundamental weaknesses in GitLab's request handling and resource management systems. When users request commit details, the application fails to properly validate or limit the number of concurrent or sequential requests that can be made to retrieve commit information. This allows an attacker to submit multiple simultaneous requests or sustained request patterns that consume CPU cycles, memory, and database connections without proper throttling. The flaw operates at the application layer where HTTP requests are processed, making it particularly dangerous as it can be exploited through standard web interfaces without requiring special privileges or access to system resources. The vulnerability's impact extends beyond simple performance degradation to potentially causing complete service unavailability when exploited at scale.
From an operational perspective, this vulnerability creates significant risks for organizations relying on GitLab for version control and collaboration. The resource depletion attack can be executed by any authenticated or unauthenticated user depending on the specific configuration, making it particularly dangerous in public or shared environments. Attackers can leverage this flaw to disrupt development workflows, prevent legitimate users from accessing commit information, and potentially cause cascading failures in dependent systems that rely on GitLab's functionality. The vulnerability's exploitation requires minimal technical expertise, making it accessible to a wide range of threat actors from casual script kiddies to organized cybercriminals. Organizations may experience service interruptions, degraded performance, and increased operational overhead as they attempt to mitigate the impact of these attacks.
The security implications of this vulnerability align with CWE-770, which addresses the allocation of resources without proper limits or monitoring, and relates to ATT&CK technique T1499.004 for resource exhaustion attacks. Organizations should implement immediate mitigations including configuring rate limiting on commit details endpoints, implementing request quotas, and monitoring for unusual patterns of commit access. The recommended remediation involves upgrading to patched versions of GitLab where the vulnerability has been addressed through proper request filtering and resource management controls. Additionally, administrators should consider implementing network-level controls, logging and alerting mechanisms, and regular security assessments to identify potential exploitation attempts. The vulnerability demonstrates the critical importance of proper resource management and input validation in web applications, particularly those handling version control data where continuous access patterns can be exploited for malicious purposes.