CVE-2024-8973 is a medium severity vulnerability affecting GitLab Community Edition (CE) and Enterprise Edition (EE) versions starting from 17.1 up to versions prior to 17.9.8, 17.10 up to prior to 17.10.6, and 17.11 up to prior to 17.11.2. The vulnerability is classified under CWE-770, which relates to the allocation of resources without limits or throttling. Specifically, this issue arises when GitLab processes GitHub import requests containing maliciously crafted payloads. An attacker with at least low privileges (PR:L) can send such requests over the network (AV:N) without requiring user interaction (UI:N) to trigger a denial-of-service (DoS) condition. The vulnerability does not impact confidentiality or integrity but severely affects availability by exhausting resources, leading to service disruption. The CVSS 3.1 base score is 6.5, reflecting a medium severity level. No known exploits are currently reported in the wild. The root cause is insufficient resource management when handling GitHub import requests, allowing attackers to cause excessive resource consumption. This can result in GitLab instances becoming unresponsive or crashing, impacting development workflows and continuous integration pipelines reliant on GitLab services.

For European organizations, this vulnerability poses a significant risk to the availability of GitLab services, which are widely used for source code management, CI/CD pipelines, and project collaboration. Disruption of GitLab can halt development activities, delay software releases, and impact operational continuity. Organizations in sectors with high reliance on software development, such as finance, telecommunications, automotive, and government agencies, may experience operational and reputational damage if their GitLab instances are targeted. Additionally, since the vulnerability can be exploited remotely without user interaction, it increases the attack surface, especially for publicly accessible GitLab instances. The lack of confidentiality or integrity impact reduces the risk of data breaches but does not diminish the operational impact of service outages. European organizations with strict uptime requirements or regulatory obligations for service availability (e.g., under GDPR's availability principle) must prioritize mitigation to avoid compliance risks and business disruption.

To mitigate CVE-2024-8973, organizations should promptly upgrade affected GitLab instances to the fixed versions: 17.9.8, 17.10.6, or 17.11.2 or later. If immediate patching is not feasible, administrators should implement network-level controls to restrict or monitor GitHub import requests, such as rate limiting, IP whitelisting, or web application firewall (WAF) rules targeting the import API endpoints. Monitoring resource utilization and setting thresholds to alert on abnormal spikes can help detect exploitation attempts early. Additionally, disabling GitHub import functionality temporarily may be considered if it is not essential to operations. Regularly reviewing GitLab logs for unusual import activity and applying principle of least privilege to user accounts can reduce the risk of exploitation. Finally, organizations should maintain an incident response plan that includes recovery procedures for GitLab service disruptions.