GitLab Pages Subdomain Takeover Vulnerability

A subdomain takeover vulnerability has been identified in GitLab Community Edition (CE) and Enterprise Edition (EE) versions prior to 16.11.6, as well as in GitLab versions 17.0 prior to 17.0.4 and 17.1 prior to 17.1.2. This vulnerability allows an attacker to take over a dangling custom domain that points to GitLab Pages. The issue arises when a custom domain is added to GitLab Pages without verification, allowing it to serve content for up to seven days before being disabled.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the subdomain, allowing for content hosting that could include malicious material, such as phishing attempts or cookie theft. Additionally, it could bypass Content Security Policies and Cross-Origin Resource Sharing restrictions.

Reproduction

To reproduce this vulnerability, add a custom domain to a GitLab Pages project without verifying it. Disable the 'Force HTTPS' option, which requires a valid certificate. Once the domain is added, it will serve content from the GitLab Pages server. After the domain is removed from the original project, it can be re-added to a different project, effectively taking over the subdomain.

Remediation

Users are advised to upgrade to GitLab versions 17.1.2, 17.0.4, or 16.11.6, where this vulnerability has been patched.