Unrated severityNVD Advisory· Published Jan 12, 2023· Updated Apr 8, 2025

CVE-2022-3573

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. Due to the improper filtering of query parameters in the wiki changes page, an attacker can execute arbitrary JavaScript on the self-hosted instances running without strict CSP.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GitLab CE/EE wiki changes page improperly filters query parameters, enabling XSS on self-hosted instances without strict CSP.

Vulnerability

An improper filtering of query parameters in the wiki changes page of GitLab CE/EE allows an attacker to execute arbitrary JavaScript. The issue affects all versions starting from 15.4 before 15.5.7, all versions starting from 15.6 before 15.6.4, and all versions starting from 15.7 before 15.7.2 [1]. The vulnerable code uses request.query_parameters instead of safe_params when generating a toggle whitespace link, allowing injection of parameters like protocol or host that link_to interprets, enabling javascript: URLs [1].

Exploitation

An attacker must be an authenticated user on a self-hosted GitLab instance without strict Content Security Policy (CSP). The attacker crafts a URL like https://YOUR_OWN_INSTANCE/USERNAME/PROJECT_NAME/-/wikis/home/diff?protocol=javascript&host=%250dalert(document.domain)// and convinces a victim to visit it, or plants the link in the wiki changes page [1]. No special privileges or race conditions are required; the vulnerability is triggered by viewing the manipulated diff page.

Impact

Successful exploitation achieves reflected cross-site scripting (XSS), allowing the attacker to execute arbitrary JavaScript in the victim's browser within the GitLab application context. This can lead to session hijacking, data exfiltration, or performing actions on behalf of the victim [1]. The attack is limited to self-hosted instances without strict CSP, as the CSP would block such inline scripts.

Mitigation

GitLab released fixed versions: 15.5.7, 15.6.4, and 15.7.2 [1]. Users should upgrade to these or later versions. As a workaround, enabling strict CSP can prevent exploitation. No other workarounds are available.

References

Cross-site scripting in wiki changes page affecting self-hosted instances running without strict CSP (#378216) · Issues · GitLab.org / GitLab · GitLab

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

GitLab Inc./CE/EEllm-fuzzy
Range: >=15.4, <15.5.7; >=15.6, <15.6.4; >=15.7, <15.7.2
osv-coords
pkg:bitnami/gitlab
Range: >= 15.4.0, < 15.5.7
GitLab Inc./GitLabv5
Range: >=15.4, <15.5.7

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"Improper filtering of query parameters in the wiki changes page allows an attacker to inject dangerous parameters like `protocol` and `host` into a `link_to` helper, enabling JavaScript URL injection."

Attack vector

An attacker crafts a URL to the wiki diff page with malicious query parameters (`protocol=javascript&host=%250dalert(document.domain)//`). When a victim visits this URL and clicks the "Hide whitespace changes" link, the `params_with_whitespace` helper [ref_id=1] passes the unsanitized `request.query_parameters` directly to `link_to`. Because `link_to` interprets parameters such as `protocol` and `host`, the attacker can inject a `javascript:` URL, achieving cross-site scripting (XSS) in the victim's browser. The attack requires the victim to be logged in and to click the link, but no special privileges beyond creating a project are needed [ref_id=1].

Affected code

The vulnerable code is in `app/helpers/diff_helper.rb` lines 280-282, where the `params_with_whitespace` method calls `request.query_parameters` without sanitization [ref_id=1]. This method is invoked from `app/views/projects/diffs/_diffs.html.haml` line 24 via `toggle_whitespace_link(url_for(params_with_whitespace), ...)` [ref_id=1].

What the fix does

The advisory recommends replacing `request.query_parameters` with `safe_params` in the `params_with_whitespace` helper [ref_id=1]. `safe_params` filters out dangerous parameters (such as `protocol` and `host`) that `link_to` would otherwise interpret, preventing the injection of `javascript:` URLs. No patch diff is included in the bundle, but the remediation guidance is clear: use a parameter sanitization method that strips attacker-controllable keys before passing them to the link generation helper [ref_id=1].

Preconditions

authVictim must be logged into the GitLab instance.
inputAttacker must craft a URL with malicious query parameters (`protocol` and `host`).
networkVictim must visit the crafted URL and click the 'Hide whitespace changes' link.

Reproduction

1. Set up a self-hosted GitLab instance (or use GitLab.com with CSP enabled to observe the blocked attempt). 2. Log in and create a project. 3. Navigate to Wiki and create a page. 4. Visit `https://INSTANCE/USERNAME/PROJECT/-/wikis/home/diff?protocol=javascript&host=%250dalert(document.domain)//`. 5. Click "Hide whitespace changes". 6. Observe that `alert(document.domain)` executes (self-hosted) or CSP blocks it (GitLab.com) [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000