CVE-2022-2455 is a medium-severity vulnerability affecting multiple versions of GitLab Community Edition (CE) and Enterprise Edition (EE), specifically all versions from 10.0 up to but not including 15.1.6, versions from 15.2 up to but not including 15.2.4, and versions from 15.3 up to but not including 15.3.2. The vulnerability arises from a business logic flaw in the way GitLab handles large repositories during project import operations. An authenticated and authorized user can exploit this flaw by importing a maliciously crafted project designed to consume excessive server resources, leading to uncontrolled resource consumption. This can result in denial of service conditions due to exhaustion of CPU, memory, or disk I/O, thereby impacting the availability of the GitLab service. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption). The CVSS v3.1 base score is 6.5, indicating a medium severity level, with the vector indicating network attack vector, low attack complexity, requiring privileges, no user interaction, unchanged scope, no confidentiality or integrity impact, but high impact on availability. There are no known exploits in the wild as of the published date, and no direct patch links were provided in the source data, though GitLab has released fixed versions addressing this issue. The vulnerability requires the attacker to have authenticated access with sufficient privileges to import projects, which limits the attack surface to internal or trusted users or compromised accounts. However, given GitLab's widespread use in software development workflows, the impact on affected installations can be significant if exploited.

For European organizations, the impact of CVE-2022-2455 can be substantial, especially for enterprises and public sector entities relying heavily on GitLab for source code management and CI/CD pipelines. Exploitation can lead to denial of service by exhausting server resources, causing downtime or degraded performance of GitLab services. This disruption can delay development cycles, impact software delivery timelines, and potentially halt critical business operations dependent on continuous integration and deployment. Additionally, organizations with strict service-level agreements (SLAs) or regulatory requirements for uptime may face compliance risks. Since the vulnerability requires authenticated access, insider threats or compromised user accounts pose a significant risk vector. The absence of confidentiality or integrity impact reduces the risk of data leakage or tampering, but availability loss alone can have cascading effects on business continuity and operational efficiency.

European organizations should prioritize upgrading GitLab instances to the fixed versions: at least 15.1.6 for versions before 15.1.6, 15.2.4 for versions in the 15.2 series, and 15.3.2 for versions in the 15.3 series. If immediate upgrading is not feasible, organizations should implement strict access controls to limit project import permissions to highly trusted users only. Monitoring and alerting on unusual import activity or resource usage spikes can help detect exploitation attempts early. Additionally, employing resource quotas or limits at the application or infrastructure level (e.g., container resource limits, process limits) can mitigate the impact of resource exhaustion. Regular auditing of user privileges and enforcing strong authentication mechanisms (e.g., MFA) reduce the risk of compromised accounts being used to exploit this vulnerability. Finally, organizations should keep abreast of GitLab security advisories for any further updates or patches related to this issue.