Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in GitLab
Description
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. Open redirection was possible via HTTP response splitting in the NPM package API.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An open redirection vulnerability in GitLab CE/EE allows HTTP response splitting via the NPM package API, enabling attackers to redirect users to malicious sites.
Vulnerability
An open redirection vulnerability exists in GitLab Community Edition (CE) and Enterprise Edition (EE) versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, and all versions starting from 16.0 before 16.0.2. The bug is located in the NPM package API endpoint at /api/v4/projects/{project_id}/packages/npm, where HTTP response splitting is possible by injecting carriage return and line feed characters (%0d%0a) into the URL, allowing an attacker to overwrite the Location header with a controlled value [1].
Exploitation
An attacker can exploit this vulnerability by crafting a URL that includes %0d%0a followed by http:/ and a target domain. For example, the URL http://gitlab.example.com/api/v4/projects/{project_id}/packages/npm/%0d%0ahttp:/%2fexample.com?test will cause the server to split the HTTP response and redirect the user to http://example.com. The attacker only needs to lure a victim into clicking such a link; no authentication or special network position is required because the endpoint is publicly accessible for public projects [1].
Impact
Successful exploitation leads to open redirection, where a user can be redirected from a legitimate GitLab instance to an attacker-controlled website. This can be used for phishing attacks or other social engineering campaigns, as users may believe the destination is trustworthy. The impact is limited to redirection and does not directly result in code execution or data disclosure [1].
Mitigation
The vulnerability is fixed in GitLab versions 15.10.8, 15.11.7, and 16.0.2. Users running affected versions should upgrade immediately. No workaround is available for versions that are end-of-life or currently exposed. The fix involves filtering %0d and %0a characters in the vulnerable endpoint to prevent HTTP response splitting [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=15.4 <15.10.8, >=15.11 <15.11.7, >=16.0 <16.0.2
- Range: >=12.9, <15.10.8
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing sanitization of CRLF characters in the NPM package API URL allows HTTP response splitting and open redirection."
Attack vector
An attacker crafts a URL containing CRLF characters (`%0d%0a`) in the path segment of the NPM package API endpoint. When the server constructs the `Location` header for the redirect, the injected CRLF sequence terminates the header prematurely, allowing the attacker to supply an arbitrary `Location` value. This results in an open redirect that sends users to an attacker-controlled site [ref_id=1].
Affected code
The vulnerable endpoint is the NPM package download API at `/api/v4/projects/
What the fix does
The advisory does not include a published patch diff. The recommended remediation is to filter or reject `%0d` and `%0a` characters in the vulnerable endpoint so that CRLF injection cannot alter the `Location` header value [ref_id=1]. No fix commit is shown in the bundle.
Preconditions
- authThe attacker must have a public project on the GitLab instance to obtain a valid project_id.
- configThe target GitLab instance must be version 15.4 through 15.10.8, 15.11 through 15.11.7, or 16.0 through 16.0.2.
- inputThe attacker sends a crafted HTTP request containing %0d%0a characters in the URL path.
Reproduction
1. Have a public project ready on the GitLab instance. 2. Run: `curl -vvv "http://
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
1- GitLab Security Release: 16.0.2, 15.11.7, and 15.10.8GitLab Security Releases · Jun 5, 2023