CVE-2022-1416
Description
Missing sanitization of data in Pipeline error messages in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows for rendering of attacker controlled HTML tags and CSS styling
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab CE/EE pipeline error messages lack HTML sanitization, allowing attackers to inject HTML/CSS via crafted filenames or project paths.
Vulnerability
A missing sanitization vulnerability in GitLab CE/EE affects pipeline error messages displayed on the /pipelines/new page. When a user enters a non-existent or broken YAML file as a pipeline configuration, the error message includes the project namespace/path and filename without proper HTML encoding. This allows an attacker to inject arbitrary HTML tags and CSS styling by creating a project with a malicious filename (e.g., hack.yml) or a crafted namespace/path. The vulnerability affects all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 [1].
Exploitation
An attacker must have the ability to create or modify a GitLab project to set a malicious filename or namespace/path. The attacker then triggers a pipeline error (e.g., by referencing a broken YAML file) on the /pipelines/new page. When a victim visits that page, the injected HTML/CSS is rendered. The payload is processed through DOMPurify (via v-safe-html), which prevents full XSS but allows CSS injection and certain HTML elements. The attacker can, for example, overlay the entire page with an invisible link to a malicious site or mimic GitLab UI elements to trick users into revealing credentials [1].
Impact
Successful exploitation allows an attacker to inject HTML and CSS into the pipeline error page. This can be used to redirect victims to phishing sites by overlaying the page with a transparent link, or to impersonate GitLab UI components (e.g., password approval prompts) to steal credentials. While DOMPurify prevents arbitrary JavaScript execution, the CSS injection is sufficient for social engineering attacks that can lead to account compromise or data theft [1].
Mitigation
GitLab released fixed versions: 14.8.6, 14.9.4, and 14.10.1. Users should upgrade to these versions or later. No workaround is available for unpatched instances. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=1.0.2 <14.8.6 || >=14.9.0 <14.9.4 || >=14.10.0 <14.10.1
- Range: >=1.0.2, <14.8.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing HTML encoding of user-controlled filenames and project paths in pipeline error messages before rendering via v-safe-html."
Attack vector
An attacker sets a malicious filename (e.g., `
Affected code
The vulnerability exists in the pipeline error message rendering on the `/pipelines/new` page. The error message is constructed from user-controlled values (namespace/project and filename) that are not HTML-encoded before being passed to `v-safe-html` in the Vue view [ref_id=1]. The affected code path processes the `pipelineConfigurationFullPath` parameter, which can contain attacker-controlled filenames like `
What the fix does
The advisory states the proposed solution is for the backend to sanitize the error input before it reaches the frontend [ref_id=1]. No patch diff is included in the bundle, but the fix would involve HTML-encoding or stripping dangerous tags from the filename and project path values at the server side before they are interpolated into the error message. This prevents attacker-controlled HTML and CSS from being passed to `v-safe-html` and rendered in the victim's browser.
Preconditions
- configAttacker must have the ability to set a pipeline configuration file path (e.g., via compliance framework or project pipeline settings) containing HTML/CSS payload
- inputVictim must visit the /pipelines/new page and trigger a pipeline run that fails due to the malicious file path
- inputThe attacker's payload must be 255 characters or fewer due to the pipeline configuration field length limit
Reproduction
1. Create a group and a project within it. 2. Use the GraphQL API to create a compliance framework with a `pipelineConfigurationFullPath` containing a malicious payload (e.g., `a.yml@
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1416.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/342988mitrex_refsource_MISC
- hackerone.com/reports/1362405mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.