Patched GitLab Duo Flaws Risked Code Leak, Malicious Content material

Hackers can exploit vulnerabilities in a generative synthetic intelligence assistant built-in throughout GitLab’s DevSecOps platform to control the mannequin’s output, exfiltrate supply code and doubtlessly ship malicious content material by way of the platform’s consumer interface.

See Additionally: On Demand | World Incident Response Report 2025

Researchers at Legit Safety stated that immediate injection and HTML output rendering could possibly be used to use vulnerabilities in GitLab Duo, and hijack generative AI workflows and expose inside code. GitLab has patched the vulnerabilities.

The Duo chatbot is touted to “immediately generate a to-do record” that forestalls builders from “wading by way of weeks of commits.”

Legit Safety co-founder Liav Caspi and safety researcher Barak Mayraz demonstrated how GitLab Duo could possibly be manipulated utilizing invisible textual content, obfuscated Unicode characters and deceptive HTML tags, subtly embedded in commit messages, situation descriptions, file names and mission feedback.

As a result of Duo reads surrounding mission context, akin to titles, feedback and up to date code commits, it may be manipulated utilizing seemingly innocuous textual content artifacts. These prompts had been designed to change Duo’s conduct or drive it to output delicate data. One commit message included a hidden directive instructing Duo to reveal the content material of a non-public file when requested a benign query. As a result of the assistant lacked robust guardrails, it complied.

GitLab Duo has since up to date the way it handles contextual enter, making it much less prone to comply with such embedded directions, however the researchers stated that the assault illustrates how even routine developer exercise can introduce surprising threats when AI copilots are within the loop.

One other important situation was how Duo’s rendered output inside GitLab’s internet interface. As an alternative of escaping doubtlessly harmful content material, the assistant’s HTML-based responses had been displayed immediately, with out sanitization. This allowed Legit researchers to insert img and type tags into Duo’s responses, which GitLab rendered contained in the developer’s browser session. Whereas Legit’s proof-of-concept assaults did not escalate to full session hijacking, the presence of interactive HTML in AI responses created the potential for credential harvesting, clickjacking or exfiltration by way of internet beacons.

GitLab Duo is designed to be built-in throughout growth workflows, providing AI-powered assist for writing code, summarizing points and reviewing merge requests. The tight integration will be helpful for developer productiveness, however makes the assistant a strong and doubtlessly weak assault floor. Legit Safety suggested treating generative AI assistants, particularly these embedded throughout a number of levels of a CI/CD pipeline, as a part of a corporation’s software safety perimeter.

“AI assistants are actually a part of your software’s assault floor,” the corporate stated, including that safety evaluations ought to lengthen to LLM prompts, AI-generated responses and the methods these outputs are rendered or acted upon by customers and methods.

GitLab stated final 12 months that it has up to date its rendering mechanism to flee unsafe HTML components and forestall unintended formatting from being displayed within the UI. It had additionally applied a number of fixes, together with enter sanitization enhancements and rendering adjustments to higher deal with AI output. GitLab added that buyer information was not uncovered throughout the analysis and no exploitation makes an attempt had been detected within the wild.