CVE-2024-10383: XSS Vulnerability in GitLab Web IDE Affecting gitlab-web-ide-vscode-fork Component

A recently discovered vulnerability (CVE-2024-10383) has been found in the gitlab-web-ide-vscode-fork component, which is used by GitLab CE/EE. The vulnerability affects all versions prior to 1.89.1-1..-dev-20241118094343 and GitLab CE/EE versions starting from 15.11 to 17.3. It was also temporarily present in versions 17.4, 17.5, and 17.6. This security flaw allows an attacker to launch a cross-site scripting (XSS) attack when loading .ipynb files in the web IDE.

Below is a code snippet showcasing how the vulnerability might be exploited

// Mimetype for .ipynb files
mimeType = "application/x-ipynb+json";
...
// Attempt loading the .ipynb file
loadFile(mimeType, fileContent, vulnerabilities);
...
// XSS vulnerability through the fileContent parameter
function loadFile(mimeType, fileContent, vulnerabilities) {
    ...
    if (mimeType === "application/x-ipynb+json") {
        const jsonContent = JSON.parse(fileContent);
        // XSS attack can be triggered using the JSON content
        ...
    }
    ...
}

Here is a list of the sources where the vulnerability was originally reported

1. Official GitLab Security Advisory: This advisory contains information on the CVE, affected versions, and mitigation steps.
2. NVD CVE-2024-10383: The official NIST entry for the vulnerability, which provides the vulnerability's severity and affected components.
3. GitLab Web IDE Release Notes: This page contains details on the release notes for various GitLab versions, including fixes related to the CVE.

Exploit Details

To exploit this vulnerability, an attacker would need to craft a malicious .ipynb file containing embedded JavaScript code, then upload and load it in the web IDE. Once loaded, the malicious JavaScript code would be executed within the context of the web IDE, potentially compromising the security of the system.

The JSON content of the .ipynb file can be manipulated to include a malicious payload, such as

{
  "cells": [
    ...
  ],
  "metadata": {
    "language_info": {
      "version": "<script>alert('XSS');</script>"
    }
  },
  "nbformat": 4,
  ...
}

When loaded, the malicious <script> tag would be executed as JavaScript code, triggering the XSS attack.

Mitigation

To address this issue, GitLab released new versions (17.6.2, 17.5.3, and 17.4.4) that patch the vulnerability. Users should update their GitLab CE/EE installations to one of these versions immediately. Additionally, users should avoid opening untrusted .ipynb files in the web IDE until they have updated their installations.

For more details on the mitigation process, including necessary patches, please refer to the official security advisory provided by GitLab.

Timeline

Published on: 02/07/2025 15:15:16 UTC