Sunday, June 15, 2025
Advertisements

GitLab Duo Vulnerability Exposed Source Code and Enabled Malicious Links

by Charline
written by Charline

A remote prompt injection flaw in GitLab Duo, the platform’s AI coding assistant, allowed attackers to leak private code and inject malicious HTML into user-facing content. The issue was responsibly disclosed in February 2025 and has since been patched.

Hidden Prompts Exploited Duo’s Context Awareness

Attackers used encoded prompts hidden in merge requests, commits, or comments to manipulate Duo’s behavior. Techniques included Unicode smuggling and Base16 payloads to bypass detection, aligning with several 2025 OWASP LLM Top 10 vulnerabilities, including Prompt Injection and Information Disclosure.

HTML Injection via Markdown Streaming

The most severe risk came from how Duo streamed markdown into HTML. Despite using DOMPurify, tags like <img> and <a> weren’t fully sanitized. This allowed attackers to embed Base64-encoded data in image tags, which browsers then sent to attacker-controlled servers—leaking sensitive code.

Patch and Lessons Learned

GitLab released patch duo-ui!52 to block unsafe HTML rendering from external domains. Researcher Omer Mayraz emphasized that AI tools must now be considered part of the security perimeter and treated with the same scrutiny as any web-exposed input processor.

Stay alert: AI coding assistants increase productivity—but also expand the attack surface. Ensure your tools are patched and input is strictly validated.

Advertisements
You Might Also Like
Advertisements
blank

Charline is the editor of ProxyServerPro's platform. She is a digital privacy and proxy solutions expert with over 10 years of experience writing and editing content related to online security, browsing solutions, and data protection. Charline has contributed to various tech publications and worked closely with professionals and businesses to enhance their understanding of proxies, internet anonymity, and digital security. Prior to joining ProxyServerPro, she worked at leading digital security firms, where she helped produce educational content aimed at helping users navigate the complexities of the online world with confidence and security.

You may also like

5 Effective Methods to Use Multiple Proxies Simultaneously

How to Fix an Open Proxy — Step-by-Step Guide

How to Use Proxy in Brave Browser | Step-by-Step Guide

How to Use Proxy in Chrome on Android — Step-by-Step Guide

How to Use SOCKS5 Proxy on Chrome? A Comprehensive Guide

How to Use VPN and Proxy Together? A Comprehensive Guide

blank

At ProxyServerPro, we are dedicated to providing cutting-edge proxy solutions tailored to meet the diverse needs of businesses and individuals. Our platform offers a comprehensive range of high-performance proxies, including residential, datacenter, and mobile options, ensuring seamless browsing, data scraping, and online anonymity. With a focus on reliability, speed, and security, we empower users to navigate the digital landscape with confidence. Whether you’re managing ad verification, market research, or web automation, ProxyServerPro is your trusted partner for scalable, efficient, and secure proxy services. Explore our portal to discover how we can elevate your online experience.

popular recommendation

The Five Best Free Proxy Servers
Is FoxyProxy Safe?
AI Demand Drives Record Revenue Growth in Server and Storage Components
How Does a Web Proxy Work?

Useful Links

TAGS

© 2024 Copyright  proxyserverpro.com