CVE-2023-0155
Description
An issue has been discovered in GitLab CE/EE affecting all versions before 15.8.5, 15.9.4, 15.10.1. Open redirects was possible due to framing arbitrary content on any page allowing user controlled markdown
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab CE/EE versions before 15.8.5, 15.9.4, and 15.10.1 allow open redirect via unsandboxed iframes from markdown links to observe.gitlab.com.
Vulnerability
GitLab CE/EE versions before 15.8.5, 15.9.4, and 15.10.1 contain an open redirect vulnerability in the markdown rendering pipeline. A feature introduced in GitLab 15.7.0 (merge request !104081) allows users to embed unsandboxed iframes by including links starting with https://observe.gitlab.com in any page that renders user-controlled markdown. The vulnerable code resides in app/assets/javascripts/behaviors/markdown/render_observability.js and lib/banzai/filter/inline_observability_filter.rb [1].
Exploitation
To exploit this vulnerability, an attacker only needs the ability to submit user-controlled markdown content (e.g., via issue comments, wiki pages, or merge request descriptions). The attacker crafts a link to https://observe.gitlab.com that, when rendered, creates an unsandboxed iframe. The framed content can then use JavaScript to navigate the top-level window to an arbitrary external URL, effectively performing an open redirect from a legitimate GitLab page [1].
Impact
Successful exploitation allows an attacker to conduct open redirect attacks. By framing malicious content, the attacker can redirect a victim who clicks on or interacts with the embedded content to an attacker-controlled site. This can be used for phishing, credential theft, or other social engineering attacks, leveraging GitLab's trusted domain for initial trust [1].
Mitigation
GitLab has fixed this issue in versions 15.8.5, 15.9.4, and 15.10.1. Users should upgrade to one of these patched versions or later. There is no known workaround for unpatched instances. The vulnerability has been disclosed via HackerOne report #1817250 [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <15.8.5 / <15.9.4 / <15.10.1
- Range: >=15.7, <15.8.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing trailing-slash check in the observability link filter allows attacker-controlled subdomains and credential-containing URLs to match the `https://observe.gitlab.com` prefix, causing arbitrary content to be embedded as an unsandboxed iframe."
Attack vector
An attacker posts markdown containing a link such as `https://observe.gitlab.com@attacker.com/poc.html` or `https://observe.gitlab.com.example.com/evil.html` in any GitLab field that renders markdown (issues, merge requests, wikis, code previews, etc.) [ref_id=1]. The `InlineObservabilityFilter` matches any anchor whose href starts with `https://observe.gitlab.com` because the constant lacks a trailing slash, so the attacker-controlled URL passes the filter [ref_id=1]. GitLab then renders an unsandboxed iframe pointing to the attacker's page, which can navigate the top window to an arbitrary external site, creating an open redirect and a denial-of-service condition on the affected page [ref_id=1]. On self-hosted instances without a restrictive CSP the impact is more severe; on GitLab.com the CSP partially mitigates framing but phishing risks remain [ref_id=1].
Affected code
The vulnerable code is in `lib/banzai/filter/inline_observability_filter.rb`, where the XPath selector `descendant-or-self::a[starts-with(@href, '#{Gitlab::Observability.observability_url}')]` matches any href beginning with the observability URL [ref_id=1]. The constant `Gitlab::Observability.observability_url` is defined in `lib/gitlab/observability.rb` as `https://observe.gitlab.com` without a trailing slash [ref_id=1]. The iframe is rendered by Vue code in `app/assets/javascripts/behaviors/markdown/render_observability.js` without a sandbox attribute [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the expected remediation is to ensure only links pointing to the exact `https://observe.gitlab.com` domain are rendered as iframes [ref_id=1]. The root cause is the missing trailing slash in `Gitlab::Observability.observability_url`, which allows `@`-credential and subdomain variants to match [ref_id=1]. The fix should either append a trailing slash to the URL constant or add a stricter domain-match check in the XPath selector so that `https://observe.gitlab.com.example.com` and `https://observe.gitlab.com@evil.com` are rejected [ref_id=1].
Preconditions
- authAttacker must have permission to create or edit markdown content (issues, MRs, wikis, etc.) on a GitLab instance
- configTarget instance must be running a GitLab version before 15.8.5, 15.9.4, or 15.10.1
- inputFor the @-credential variant, the attack requires Firefox or Safari (Chrome blocks credential URLs in iframes)
- inputFor the subdomain variant, the attacker must control a domain with a valid TLS certificate for the multi-level subdomain
Reproduction
1. On a self-hosted GitLab instance (version < 15.8.5, 15.9.4, or 15.10.1), log in as an attacker and navigate to any project. 2. Create a new issue and enter `https://observe.gitlab.com@joaxcar.com/poc/gitlab/redir.html` in the description field (use Firefox). 3. Save the issue. The page redirects to the attacker-controlled URL. 4. Attempting to revisit the issue page results in an immediate redirect, causing a local DoS [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.