CVE-2022-2428
Description
A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2 allows an attacker to issue arbitrary HTTP requests
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted HTML form tag in Jupyter Notebook viewer allows SSRF via arbitrary HTTP requests in GitLab versions before 15.1.6, 15.2.4, and 15.3.2.
Vulnerability
A crafted form tag in the Jupyter Notebook viewer in GitLab Enterprise Edition/Community Edition (all versions before 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2) allows an attacker to issue arbitrary HTTP requests to the GitLab instance. The input sanitation for .ipynb notebooks fails to exclude the form HTML tag, enabling the injection of arbitrary form elements [1].
Exploitation
An attacker with the ability to upload a .ipynb file (or commit one to a repository) can embed a malicious form element within an HTML output cell. By setting the action attribute to a target endpoint and using hidden input fields, the attacker can control the HTTP method (POST, PUT, DELETE, PATCH via _method field) and parameters. The attacker can also use a class attribute (e.g., fixed-top fixed-bottom) to render the submit button as a transparent overlay over the entire page, so that any user click on the viewer triggers the form submission [1].
Impact
Successful exploitation allows an attacker to perform arbitrary HTTP requests to the GitLab instance, potentially leading to privilege escalation (e.g., making an account an admin), data exfiltration, or other server-side operations, depending on the target endpoint and the authenticated session of the victim viewing the notebook. The impact is limited by the permissions of the victim user [1].
Mitigation
Fixed versions: GitLab 15.1.6, 15.2.4, and 15.3.2, released on 2022-08-10. Users should upgrade to the latest available version. No workaround is mentioned in the references. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <15.1.6, >=15.2.0 <=15.2.4, >=15.3.0 <=15.3.2
- Range: >=15.0, <15.1.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing sanitization of the `form` HTML tag in the Jupyter Notebook viewer allows injection of arbitrary HTML forms."
Attack vector
An attacker crafts a `.ipynb` file whose output cell contains a `
Affected code
The Jupyter Notebook (`.ipynb`) viewer in GitLab EE/CE does not sanitize the `form` HTML tag. The vulnerability exists in the rendering pipeline that converts notebook output cells containing `text/html` into the page DOM.
What the fix does
The fix must exclude the `form` tag from the allowed HTML elements during sanitization of notebook output. The advisory states that "the sanitization does not exclude `form` tag" [ref_id=1]; therefore the remediation is to add `form` to the sanitizer's blocklist so that any `
Preconditions
- inputAttacker must be able to commit a .ipynb file to a GitLab project
- configVictim must view the malicious .ipynb file through GitLab's notebook viewer
- inputVictim must click anywhere on the rendered notebook page
Reproduction
1. In an existing GitLab project, add a file named `notebook-test.ipynb` with the JSON payload shown in the HackerOne report [ref_id=1]. The payload includes a `
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.