CVE-2024-9506 Improper regular expression in Vue's parseHTML function leads to potential regex DOS vulnerability

CVE-2024-9506 Improper regular expression in Vue's parseHTML function leads to potential regex DOS vulnerability

Resolution

Our security and engineering teams have evaluated this CVE and come to the conclusion that this cannot impact GitLab customers. From our engineering team:

As for vue-template-compiler [the source of the vulnerability], we only use that in development of GitLab, during compilation. We explicitly disallow use of the runtime template compiler. We only ship the version of Vue that excludes the runtime template compiler that we send to browsers.

Additionally, we are in the process of migrating away from Vue 2 (which contains this vulnerability) to Vue 3 (which does not). This work is ongoing and tracked in Migration from Vue 2 to Vue 3 (&6252)