GitLab CSRF Vulnerability in GraphQL API Allowing Arbitrary Mutation Execution

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.1.0 prior to 16.11.5, 17.0 prior to 17.0.3, and 17.1.0 prior to 17.1.1. This vulnerability allows attackers to exploit GitLab's GraphQL API by crafting requests that include GraphQL mutations, which could lead to unauthorized actions being performed on behalf of the victim.

Impact

Exploitation of this vulnerability allows for general CSRF impacts, with the added consequence of leaking sensitive CI/CD tokens from the victim's GitLab account. According to GitLab, this vulnerability also allows an attacker to add a malicious runner to a project or OAuth application to the victim's trusted apps, potentially leading to further exploitation.

Reproduction

To reproduce this vulnerability, a victim must be logged into GitLab. The attacker can craft a link that includes a GraphQL introspection query operation, which is then executed as a mutation. This can be done by embedding the crafted link into a GitLab markdown-supported field, such as an issue or note. When the victim clicks the link, the mutation is executed, creating a snippet that can be used to exfiltrate CI/CD job tokens.

Remediation

Users can update to GitLab versions 17.1.1 or 17.0.3, where this vulnerability has been fixed.