CVE-2022-2417
Description
Insufficient validation in GitLab CE/EE affecting all versions from 12.10 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1 allows an authenticated and authorised user to import a project that includes branch names which are 40 hexadecimal characters, which could be abused in supply chain attacks where a victim pinned to a specific Git commit of the project.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab CE/EE allows authenticated users to import projects with branch names that are 40 hex characters, enabling supply chain attacks by confusing commit references.
Vulnerability
In GitLab CE/EE versions from 12.10 prior to 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1, insufficient validation during project import via the git:// protocol allows the creation of branch names that consist of exactly 40 hexadecimal characters. This bypasses the checks normally applied during push operations, which prohibit such branch names because they can be mistaken for commit hashes [1].
Exploitation
An authenticated and authorized user can import a repository containing branch names that are 40 hex characters. The attacker must have the ability to create or import projects. By crafting a repository with such branch names and importing it, the attacker can create branches that visually resemble Git commit hashes. This can be exploited in supply chain attacks where a victim relies on a pinned commit reference, potentially being misled into using a malicious branch instead of the intended commit [1].
Impact
Successful exploitation allows an attacker to introduce confusion in supply chain workflows. A victim who pins a dependency or project to a specific Git commit hash may be tricked into using a branch with the same name, which could contain malicious code. This undermines the integrity of commit-based trust models and can lead to unauthorized code execution or data compromise depending on the context of the imported project [1].
Mitigation
GitLab has addressed this issue in versions 15.0.5, 15.1.4, and 15.2.1. Users should upgrade to these or later versions. No workaround is documented; the fix ensures that the same branch name checks applied during push operations are also enforced during imports via the git:// protocol [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <15.2.1 (affected versions 12.10 to 15.0.5, 15.1 to 15.1.4, 15.2 to 15.2.1)
- Range: >=12.10, <15.0.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing enforcement of prohibited-branch-name checks during project import via the git:// protocol allows creation of branches that look like commit hashes."
Attack vector
An authenticated and authorised user imports a repository via the `git://` protocol that contains branch names consisting of exactly 40 hexadecimal characters (the same format as a Git commit hash) [ref_id=1]. Because the import path does not enforce the same `prohibited_branch_checks` that are applied during normal push operations, these branches are created in the imported project [ref_id=1]. An attacker can then use such a branch in a supply chain attack: if a victim pins a dependency or reference to a specific Git commit hash, the attacker could later replace the content of that branch (which shares the same name as the commit hash) to point to malicious code, and the victim's pinned reference would resolve to the attacker-controlled branch instead of the original commit [ref_id=1].
Affected code
The issue affects the project import functionality in GitLab CE/EE. The checks that prevent pushing branch names that are 40 hexadecimal characters (commit-hash-like) are implemented in `lib/gitlab/checks/branch_check.rb`, but these checks are not enforced when importing a repository via the `git://` protocol [ref_id=1]. The import path bypasses the `prohibited_branch_checks` that are applied during normal push operations [ref_id=1].
What the fix does
The advisory describes a two-step solution [ref_id=1]. First, ensure that `git fsck` is applied after importing projects via the `git://` protocol (to catch issues like `.git` directories), which is to be implemented by the Gitaly team [ref_id=1]. Second, run a clean-up task after the import is completed to delete all prohibited branches, specifically those with names that are 40 hexadecimal characters [ref_id=1]. No patch diff is included in the bundle; the fix applies the same branch-name validation checks to the import path that already exist for normal push operations in `lib/gitlab/checks/branch_check.rb` [ref_id=1].
Preconditions
- authThe attacker must be an authenticated and authorised user of the GitLab instance with permission to import projects
- inputThe attacker must have access to a Git repository (hosted externally) that contains branch names which are 40 hexadecimal characters
- inputThe attacker must import the repository via the git:// protocol
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2417.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/361179mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.