VYPR
← All advisories
Unrated severityNVD Advisory· Published May 26, 2023· Updated Jan 15, 2025

CVE-2023-2825

CVE-2023-2825

Description

An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An unauthenticated path traversal in GitLab 16.0.0 allows arbitrary file read via the project uploads controller when an attachment exists in a deeply nested public project.

Vulnerability

GitLab CE/EE version 16.0.0 is affected by a path traversal vulnerability in the project uploads controller. The :filename parameter is not sanitized, allowing an attacker to use ../ sequences to read arbitrary files on the server. The vulnerability is only reachable when an attachment exists in a public project that is nested within at least five groups. [1]

Exploitation

An unauthenticated attacker can exploit this by accessing a URL like https://gitlab.com//...//uploads/<attachment_hash>/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd where the project is deeply nested (at least five groups deep) and has an existing attachment. The attacker does not need authentication or any special privileges. [1]

Impact

Successful exploitation allows the attacker to read arbitrary files on the GitLab server, such as /etc/passwd, leading to information disclosure. The attacker can read sensitive configuration files, secrets, or other data, potentially compromising the entire GitLab instance. [1]

Mitigation

As of the publication date (2023-05-26), no fix has been released. The vulnerability affects only version 16.0.0. Users should upgrade to a patched version once available. No workaround is provided in the references. [1]

References
  1. Arbitrary file read in project uploads controller via path traversal (#412371) · Issues · GitLab.org / GitLab · GitLab

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input sanitization in the project uploads controller allows path traversal characters in the filename parameter."

Attack vector

An unauthenticated attacker sends a crafted GET request to the project uploads endpoint, supplying a `:filename` parameter containing path traversal sequences (e.g., `..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd`). The request must target a public project that is nested within at least five groups and that has an existing attachment. The server fails to sanitize the filename, so the traversal resolves to an arbitrary file on the filesystem [ref_id=1].

Affected code

The project uploads controller does not sanitize the `:filename` parameter, allowing path traversal characters such as `../` to be passed through. The issue is triggered when an attachment exists in a public project nested within at least five groups [ref_id=1].

What the fix does

No patch is included in the bundle. The advisory states that the expected correct behavior is to sanitize the `:filename` parameter to remove path traversal characters [ref_id=1]. A proper fix would validate or strip sequences like `../` from the filename before the server resolves the file path.

Preconditions

  • configThe target project must be public and nested within at least five groups.
  • configThe project must have at least one existing attachment (upload).
  • authNo authentication is required; the attacker can be unauthenticated.
  • networkThe attacker must be able to send HTTP requests to the GitLab instance.
  • inputThe attacker supplies a filename parameter containing path traversal sequences.

Reproduction

1. Create a group and recursively create 10 subgroups, ending with a public project (e.g., `http://gitlab.com/11/22/33/44/55/66/88/99/aa/bb/cc/dd/`). 2. Upload an attachment to that project. 3. Send a GET request to `https://gitlab.com/11/22/33/44/55/66/88/99/aa/bb/cc/dd/uploads/

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

1