CVE-2022-3280
Description
An open redirect in GitLab CE/EE affecting all versions from 10.1 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to trick users into visiting a trustworthy URL and being redirected to arbitrary content.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An open redirect in GitLab CE/EE's pipeline artifact page lets attackers redirect users from a trusted gitlab.com URL to arbitrary attacker-controlled content.
Vulnerability
GitLab Community Edition (CE) and Enterprise Edition (EE) versions 10.1 through 15.3.5, 15.4.0 through 15.4.4, and 15.5.0 through 15.5.2 contain an open redirect vulnerability in the artifact file download mechanism. When a pipeline produces HTML files as artifacts, the artifact browse page presents these files as external links. Clicking an HTML file link navigates to https://gitlab.com/GROUP/PROJECT/-/jobs/JOBID/artifacts/file/filename.html, which issues a 303 redirect to the attacker-controlled content hosted on the gitlab.io Pages domain. No special configuration beyond having a public project with pipeline artifacts is required [1].
Exploitation
An attacker needs to be able to push a commit that triggers a CI/CD pipeline which generates an HTML file artifact. The attacker then crafts a link pointing to the GitLab artifact file URL, which can be placed anywhere (e.g., in a Markdown comment, issue, or merge request). When a victim clicks the link, they are first redirected via the trusted gitlab.com domain to the attacker's HTML page on gitlab.io, where the attacker can serve arbitrary HTML/JavaScript and perform further redirection. The open redirect chain makes the initial URL appear legitimate [1].
Impact
By exploiting this open redirect, an attacker can trick users into visiting attacker-controlled content while the URL in the address bar or link preview appears to be a genuine gitlab.com address. This aids phishing, malware delivery, or credential theft by abusing user trust in the GitLab domain. The attacker gains the ability to control the final landing page content [1].
Mitigation
The vulnerability is fixed in GitLab CE/EE versions 15.3.5, 15.4.4, and 15.5.2, released on 2022-11-09. Users should upgrade to one of these patched versions. No workaround is documented; upgrading is the recommended action. The issue was reported via HackerOne as report #1475686 and is not listed on CISA's KEV as of this writing [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=10.1, <15.3.5, >=15.4, <15.4.4, >=15.5, <15.5.2
- Range: >=10.1, <15.3.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The artifact file download endpoint issues a 303 redirect to the GitLab Pages domain instead of serving the file directly, allowing an attacker who controls the artifact HTML content to chain the redirect to an arbitrary external site via JavaScript."
Attack vector
An attacker creates a CI/CD pipeline that outputs an HTML file as an artifact. GitLab's artifact browser at `/GROUP/PROJECT/-/jobs/JOBID/artifacts/file/hej.html` returns a 303 redirect to the GitLab Pages domain (gitlab.io) where the attacker-controlled HTML is served. Because the attacker's HTML can contain JavaScript (e.g. `window.location = "https://example.com"`), any user clicking the official-looking gitlab.com link is first redirected to the Pages domain and then immediately forwarded to an arbitrary external site [ref_id=1]. The link shows no visible redirect parameters, making it indistinguishable from a legitimate GitLab URL. The attack can be delivered via markdown attachment links in wikis or issues, or through a "Login to access GitLab" flow that redirects authenticated users after login [ref_id=1].
Affected code
The issue identifies the artifact file download endpoint at the path `/GROUP/PROJECT/-/jobs/JOBID/artifacts/file/hej.html` on gitlab.com, which returns a 303 redirect to the GitLab Pages domain (gitlab.io) [ref_id=1]. The artifact browser view at `/GROUP/PROJECT/-/jobs/JOBID/artifacts/browse` renders HTML file links as external links pointing to this redirecting endpoint [ref_id=1].
What the fix does
The issue report proposes that clicking an artifact file link should serve the file's contents directly rather than issuing a 303 redirect to the Pages domain [ref_id=1]. The advisory does not include a published patch diff, but the fix would involve changing the artifact file endpoint to return the file content inline or as a download, eliminating the redirect step that allows attacker-controlled HTML to hijack the navigation. No patch is included in the bundle; the remediation guidance is derived from the issue's proposal and the HackerOne report [ref_id=1].
Preconditions
- authThe attacker must have a GitLab account with the ability to create projects and run CI/CD pipelines.
- inputThe attacker must create a pipeline that produces an HTML file as an artifact containing JavaScript that performs a redirect (e.g. window.location).
- networkThe victim must be able to reach gitlab.com and the attacker's GitLab Pages site (gitlab.io).
Reproduction
1. Log in as a GitLab user and create a new project. 2. Create a file `hack.html` containing `<script>alert(document.domain); window.location = "https://example.com"</script>`. 3. Configure a CI/CD pipeline with an artifacts section that includes `./` as a path and run it. 4. Navigate to the job's artifact browser at `/user01/project01/-/jobs/JOBID/artifacts/browse`. 5. Copy the link for `hack.html` — it points to `/user01/project01/-/jobs/JOBID/artifacts/file/hack.html`. 6. Visiting that link triggers a 303 redirect to the Pages domain, where the attacker's JavaScript executes and redirects to example.com [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.