GitLab Duo Vulnerability Exploited to Inject Malicious Links and Steal Source Code
A security vulnerability was recently discovered in GitLab Duo, the AI-powered coding assistant integrated into GitLab and based on Anthropic’s Claude models.
Security researchers from Legit Security revealed that attackers could exploit an indirect prompt injection flaw to exfiltrate private source code, manipulate AI-generated code suggestions, and even leak confidential zero-day vulnerabilities—all through seemingly innocuous project content.
Prompt injection is a class of vulnerabilities affecting large language models (LLMs), where attackers embed malicious instructions in the data processed by the AI.
In the case of GitLab Duo, the vulnerability was of the indirect type: instead of directly inputting a crafted prompt, attackers could hide instructions within merge request (MR) descriptions, commit messages, issue comments, or even the source code itself.
Because GitLab Duo analyzes the entire context of a project, including all these elements, it would inadvertently process the hidden prompts and execute the attacker’s instructions.
To further obfuscate these prompts, attackers used techniques such as Base16 encoding, Unicode smuggling, and KaTeX rendering in white text, making the malicious payloads nearly invisible to human reviewers but still detectable by the AI.
From Markdown Rendering to Data Exfiltration
According to the report, the exploit chain leveraged GitLab Duo’s real-time Markdown rendering. As Duo streams its responses, the Markdown is progressively converted to HTML and displayed in the browser.
This streaming approach, combined with insufficient input sanitization, allowed attackers to inject raw HTML, such as
A typical attack scenario unfolded as follows:
- An attacker embeds a hidden prompt in a public project’s MR description or comment.
- A victim with access to private repositories interacts with Duo, asking for a code review or analysis.
- Duo, processing the hidden prompt, is tricked into extracting sensitive code or issue data from a private project, encoding it (for example, in Base64), and embedding it as a parameter in an
- The AI’s response, containing the malicious
Here’s a simplified example of such a payload:
xml
Although GitLab used the DOMPurify library to sanitize HTML, certain tags like , and were not removed by default, allowing this data exfiltration vector to persist until the vulnerability was patched.
Impact, Response, and Ongoing Risks
The implications of this vulnerability were severe. Attackers could:
- Steal private source code and confidential issue data (including zero-day vulnerabilities).
- Manipulate Duo’s code suggestions, potentially inserting malicious packages or links.
- Present malicious URLs as safe, redirecting users to phishing sites for credential theft1.
GitLab responded promptly after responsible disclosure on February 12, 2025, releasing a patch (duo-ui!52) that prevents Duo from rendering unsafe HTML tags pointing to external domains.
This effectively closed the HTML-based data exfiltration vector.
However, some researchers argue that prompt injection risks remain, as the underlying issue—treating all user-controlled content as trusted input—has not been fully addressed.
The GitLab Duo incident underscores the urgent need to treat all AI-ingested content as potentially malicious.
As AI assistants become more deeply embedded in developer workflows, robust input validation and context isolation are essential to prevent similar attacks in the future
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
