Summary: An attacker could exploit Mermaid available in Markdown and cause DoS.
Description: Markdown supported by GitLab can generate diagrams and flowcharts from text using Mermaid. An Attacker can exploit this function to prevent users from successfully accessing some functions. For example, you can use Markdown in Issue's comment. Therefore, DoS can be caused by all users who can comment on that Issue.
[Preparation] 1. Create a new public Project. 2. Create an Issue in the Project created in step 1. 3. Add some comments to the Project created in step 2.
[Attack Flow] 1. Go to the Issue page created in preparation step 2. 2. Copy the payload. (payload is attached file.) 3. Paste the payload on the comment input form. 4. Submit the comment.
Result: Since the screen freezes, the user can not access details of the Issue. In addition, the user can not take any additional action on that Issue.
NOTE: Similar attacks are effective for all functions that can use Markdown.