CVE-2023-0042
Description
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.4 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2. GitLab Pages allows redirection to arbitrary protocols.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab Pages allows redirection to arbitrary protocols, enabling potential phishing or token exfiltration via custom URL handlers.
Vulnerability
An open redirect vulnerability exists in GitLab Pages affecting GitLab CE/EE versions starting from 11.4 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2 [1]. The auth endpoint in GitLab Pages does not properly restrict the domain parameter, allowing redirection to arbitrary protocols such as mailto://, javascript://, or custom URL schemes [1].
Exploitation
An attacker can craft a malicious URL like https://projects.gitlab.io/auth?domain=mailto://attacker-controlled.com?body=...&state=... and trick a victim into clicking it [1]. After the victim authenticates with GitLab, the browser is redirected to the attacker-specified protocol handler [1]. This can be used on mobile devices to trigger custom URL handlers that may exfiltrate authentication tokens or other sensitive data [1]. No additional privileges beyond the ability to host a GitLab Pages site are needed [1].
Impact
Successful exploitation allows an attacker to redirect users to arbitrary protocol handlers, potentially leading to information disclosure (e.g., authentication tokens leaked via mailto: body) or phishing attacks [1]. The impact is limited to user interaction and the availability of custom URL handlers on the target device [1].
Mitigation
GitLab has addressed this issue in versions 15.5.7, 15.6.4, and 15.7.2 [1]. Users should upgrade to these or later versions immediately [1]. No workarounds are available [1]. This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=11.4 <15.5.7 || >=15.6 <15.6.4 || >=15.7 <15.7.2
- Range: >=11.4, <15.5.7
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing protocol validation in GitLab Pages redirect logic allows redirection to arbitrary URI schemes."
Attack vector
An attacker crafts a URL like `https://projects.gitlab.io/auth?domain=mailto://gitlab-com.gitlab.io?body=OMGWTF&state=aaa` [ref_id=1]. When a victim visits this URL and completes the GitLab authentication flow, the server redirects the victim to the `mailto://` protocol, opening the user's mail client. This open-redirect to arbitrary protocols can be exploited on mobile devices to exfiltrate authentication tokens via custom URL handlers [ref_id=1].
Affected code
The issue is in GitLab Pages, the component responsible for serving static websites hosted on GitLab. The advisory [ref_id=1] identifies that the authentication flow in GitLab Pages does not restrict the protocol of redirect URLs, allowing arbitrary schemes such as `mailto://`.
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] states the expected correct behavior is that "redirect should only be possible to `https` or `http` URLs." The fix would require GitLab Pages to validate the protocol of redirect URLs and reject any scheme other than `http` or `https`.
Preconditions
- inputVictim must visit a crafted GitLab Pages URL that includes a redirect parameter with an arbitrary protocol scheme.
- authVictim must complete the GitLab authentication flow (e.g., log in) to trigger the redirect.
Reproduction
Visit a URL of the form `https://projects.gitlab.io/auth?domain=mailto://gitlab-com.gitlab.io?body=OMGWTF&state=aaa` [ref_id=1]. After completing the login flow, the browser will attempt to open the user's mail client via the `mailto://` protocol handler.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.