DOS via Flowchart TB Mermaid on Wiki pages

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2279739 by toukakirishima on 2023-12-10, assigned to @cmaxim:

Report | Attachments | How To Reproduce

Report

Summary

I found a DOS vulnerability when add wiki pages with Flowchart TB Mermaid, as an attacker I can make DoS and it takes a while to load, and uses 100% CPU.
Gitlab has been release patch for this vulnerability https://about.gitlab.com/releases/2023/11/30/security-release-gitlab-16-6-1-released/#client-side-dos-via-mermaid-flowchart. But Gitlab doesn't fix it on wiki pages.

Steps to reproduce

• Go to Wiki
• Create wiki and put payload

• Create page
• Reload the page. And you will load the page very long. And uses very high CPU

POC

bandicam_2023-12-10_19-58-03-946.mp4

Output of checks

This bug happens on GitLab.com

Impact

Attacker can make DoS in Wiki and it takes a while to load, and uses 100% CPU.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• payload-dos.txt
• image.png
• bandicam_2023-12-10_19-58-03-946.mp4

How To Reproduce

Please add reproducibility information to this section: