CVE-2024-9773: 
GitLab vulnerability analysis and mitigation

An input validation vulnerability was discovered in GitLab Enterprise Edition (EE) affecting versions from 14.9 before 17.8.6, versions from 17.9 before 17.8.3, and versions from 17.10 before 17.10.1. The vulnerability was assigned CVE-2024-9773 and was disclosed on March 26, 2025 (GitLab Release, NVD).

The vulnerability is classified as a command injection issue (CWE-77) in the Harbor registry integration component of GitLab EE. The flaw stems from improper input validation that could allow malicious code to be added to CLI commands displayed in the user interface. The vulnerability has been assigned a CVSS v3.1 base score of 3.7 (Low) with the vector string CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability could allow a maintainer with elevated privileges to inject malicious shell code through the Harbor project name configuration when using helper scripts. The impact is limited due to the high privileges required and the local access vector, affecting only the CLI commands shown in the UI (GitLab Release).

The vulnerability has been patched in GitLab EE versions 17.8.6, 17.9.3, and 17.10.1. Users are strongly recommended to upgrade to these versions or later to mitigate the vulnerability. GitLab.com has already been updated with the patched version, and GitLab Dedicated customers do not need to take any action (GitLab Release).

The vulnerability was responsibly disclosed through GitLab's HackerOne bug bounty program by researcher joaxcar. GitLab has acknowledged and addressed the vulnerability as part of their regular security patch release cycle (GitLab Release).