Patched GitLab Duo Flaws Risked Code Leak, Malicious Content material

Hackers can exploit vulnerabilities in a generative synthetic intelligence assistant built-in throughout GitLab’s DevSecOps platform to control the mannequin’s output, exfiltrate supply code and probably ship malicious content material via the platform’s person interface.

See Additionally: On Demand | International Incident Response Report 2025

Researchers at Legit Safety stated that immediate injection and HTML output rendering may very well be used to take advantage of vulnerabilities in GitLab Duo, and hijack generative AI workflows and expose inside code. GitLab has patched the vulnerabilities.

The Duo chatbot is touted to “immediately generate a to-do checklist” that stops builders from “wading via weeks of commits.”

Legit Safety co-founder Liav Caspi and safety researcher Barak Mayraz demonstrated how GitLab Duo may very well be manipulated utilizing invisible textual content, obfuscated Unicode characters and deceptive HTML tags, subtly embedded in commit messages, problem descriptions, file names and challenge feedback.

As a result of Duo reads surrounding challenge context, resembling titles, feedback and up to date code commits, it may be manipulated utilizing seemingly innocuous textual content artifacts. These prompts have been designed to change Duo’s conduct or pressure it to output delicate info. One commit message included a hidden directive instructing Duo to reveal the content material of a personal file when requested a benign query. As a result of the assistant lacked robust guardrails, it complied.

GitLab Duo has since up to date the way it handles contextual enter, making it much less prone to comply with such embedded directions, however the researchers stated that the assault illustrates how even routine developer exercise can introduce sudden threats when AI copilots are within the loop.

One other important problem was how Duo’s rendered output inside GitLab’s net interface. As an alternative of escaping probably harmful content material, the assistant’s HTML-based responses have been displayed instantly, with out sanitization. This allowed Legit researchers to insert img and type tags into Duo’s responses, which GitLab rendered contained in the developer’s browser session. Whereas Legit’s proof-of-concept assaults did not escalate to full session hijacking, the presence of interactive HTML in AI responses created the potential for credential harvesting, clickjacking or exfiltration by way of net beacons.

GitLab Duo is designed to be built-in throughout improvement workflows, providing AI-powered assist for writing code, summarizing points and reviewing merge requests. The tight integration might be useful for developer productiveness, however makes the assistant a strong and probably weak assault floor. Legit Safety suggested treating generative AI assistants, particularly these embedded throughout a number of phases of a CI/CD pipeline, as a part of a corporation’s utility safety perimeter.

“AI assistants at the moment are a part of your utility’s assault floor,” the corporate stated, including that safety critiques ought to lengthen to LLM prompts, AI-generated responses and the methods these outputs are rendered or acted upon by customers and techniques.

GitLab stated final yr that it has up to date its rendering mechanism to flee unsafe HTML parts and stop unintended formatting from being displayed within the UI. It had additionally carried out a number of fixes, together with enter sanitization enhancements and rendering adjustments to higher deal with AI output. GitLab added that buyer information was not uncovered through the analysis and no exploitation makes an attempt have been detected within the wild.