The vulnerability, disclosed in February 2025, allowed attackers to manipulate the AI assistant into leaking private source code and injecting untrusted HTML content into responses, potentially redirecting users to malicious websites.
GitLab has since patched the security flaw, but the discovery highlights significant risks associated with AI assistants in development environments.
Legit research team reports that the vulnerability exploited GitLab Duo’s context-aware nature, which analyzes entire project contexts, including comments, descriptions, and source code, to provide helpful responses.
The hidden prompts could be embedded in multiple locations within GitLab projects, including merge request descriptions, commit messages, issue comments, and source code itself.
These malicious instructions were virtually undetectable to users, as attackers employed sophisticated encoding techniques such as Unicode smuggling, Base16-encoded payloads, and KaTeX rendering in white text.
The attack demonstrated several vulnerabilities from the 2025 OWASP Top 10 for LLMs, specifically LLM01 (Prompt Injection), LLM02 (Sensitive Information Disclosure), LLM05 (Improper Output Handling), LLM08 (Vector and Embedding Weaknesses), and LLM09 (Misinformation).
By placing hidden instructions within seemingly harmless project content, attackers could manipulate Duo’s behavior to suggest malicious JavaScript packages, present dangerous URLs as safe, or mislead code reviewers about merge request security.
The most concerning aspect of the vulnerability involved HTML injection capabilities enabled by GitLab Duo’s real-time response rendering.
The AI assistant uses streaming markdown parsing, interpreting and rendering content into HTML before the complete response structure is known.
This asynchronous processing created a window where malicious HTML tags could be executed before proper sanitization occurred.
While GitLab implemented DOMPurify for HTML sanitization, certain tags like <img>, <form>, and <a> weren’t removed by default.
Researchers exploited this by crafting prompts that instructed Duo to extract code changes from private merge requests, encode them in Base64, and embed the data within <img> tag URLs.
When browsers attempted to render these images, they automatically sent GET requests to attacker-controlled servers containing the exfiltrated source code.
The attack payload demonstrated the sophistication possible: <img src=”data:image/png;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==”>.
This technique enabled attackers to steal confidential source code from private iOS projects and potentially exfiltrate zero-day vulnerability disclosures from internal security issues.
Following responsible disclosure on February 12, 2025, GitLab acknowledged the HTML injection and prompt injection vulnerabilities as legitimate security issues.
The company released patch duo-ui!52, which prevents Duo from rendering unsafe HTML tags pointing to external domains outside gitlab.com, effectively mitigating the data exfiltration risk.
This incident underscores the expanding attack surface created by AI assistants in development workflows.
Security researcher Omer Mayraz noted that “AI assistants are now part of your application’s attack surface,” emphasizing that systems allowing LLMs to process user-controlled content must treat all input as potentially malicious.
The vulnerability serves as a crucial reminder that context-aware AI, while powerful, requires robust safeguards to prevent becoming an exposure point for sensitive organizational data.
Equip your SOC team with deep threat analysis for faster response -> Get Extra Sandbox Licenses for Free
The post GitLab Duo Vulnerability Let Attack Inject Malicious link & Steal Source Code appeared first on Cyber Security News.
BROWNWOOD, Texas (KTAB/KRBC) – While exploring the trails and tales of Lake Brownwood State Park,…
‘Live Search’ can describe what your cameras see, not just what they’ve seen. | Image:…
Is Warhammer 40,000: Space Marine 2 a live service game? It’s not normally referred to…
The directors behind The Mummy 4 have revealed their thoughts on whether the franchise's divisive…
March 2, 2026 Sioux Falls-area 20-somethings are making a mark early in their careers, both…
March 2, 2026 The first city approvals for Smithfield Foods’ new processing plant are scheduled…
This website uses cookies.