CVE-2023-32766 - Exploring Gitpod’s Pre-2022.11.3 XSS Vulnerability via Open Redirect
If you’re a developer who regularly works with cloud-based development environments, you might already be familiar with Gitpod. It’s a cool tool, but like any software, it’s not immune to security hiccups. Today, we’re diving into CVE-2023-32766—a Cross-Site Scripting (XSS) exploit that hit Gitpod deployments before version 2022.11.3. We’ll break down what went wrong, how attackers could take advantage, and what you should watch out for.
What is CVE-2023-32766?
CVE-2023-32766 is a vulnerability identified in Gitpod versions released before 2022.11.3. Essentially, the bug allowed attackers to use *open redirects* with unexpected protocols—meaning a user could be tricked into visiting a URL using a protocol not on Gitpod’s trusted list.
jetbrains-gateway:
But the implementation wasn’t bulletproof. Other protocols slipped through the cracks, including potentially dangerous ones like javascript: or data:. This made well-crafted URLs a weapon for XSS (Cross-Site Scripting) attacks.
How Did the Vulnerability Work?
When a user clicked on certain links (such as "Open in VS Code"), Gitpod would redirect them based on a query string. Here’s a simplified example of the vulnerable code logic prior to the fix:
// Example simplified code
const allowedProtocols = ['vscode:', 'vscode-insiders:', 'jetbrains-gateway:'];
const redirectUrl = req.query.url; // e.g., "vscode://whatever" or "javascript:alert(1)"
const protocol = redirectUrl.split(':')[] + ':';
if (allowedProtocols.includes(protocol)) {
res.redirect(redirectUrl);
} else {
// Oops! Unsafe protocol, but what if protocol isn’t correctly checked?
res.status(400).send('Unsafe protocol!');
}
But if an attacker crafted a tricky URL—maybe by using weird encoding or obscure protocol schemes—Gitpod would sometimes let the redirect happen regardless.
Example exploit URL
https://gitpod.example.com/path/to/resource?url=javascript:alert(1)
If an unsuspecting user clicks such a link, their browser would execute alert(1), proving that any JavaScript code could run.
Craft a Malicious Link:
The attacker makes a link where the url parameter points to a malicious protocol like javascript:alert('XSS').
Victim Clicks:
If the Gitpod installation was older than 2022.11.3, and if the implementation failed to properly filter the protocol, the user’s browser executes the attacker’s JavaScript.
Example Payloads
<!-- HTML Example -->
<a href="https://gitpod.example.com/foo?url=javascript:alert(document.cookie)">Click me!</a>
Gitpod should block this, but before the patch, it didn’t always do so.
Fixing the Issue
Gitpod patched this vulnerability in version 2022.11.3, tightening up the protocol validation and making sure only the allowed schemes passed through.
What did the patched code do differently?
References
- Official Advisory by Gitpod
- CVE Record on NVD
- Gitpod Release Notes 2022.11.3
- OWASP XSS Cheat Sheet
Summary
CVE-2023-32766 reminds us how open redirects and sloppy protocol checks can invite XSS into even well-maintained platforms like Gitpod. If you self-host Gitpod, make sure you’re running at least version 2022.11.3, and always be cautious about clicking on links that look suspicious—especially those that include unexpected URL protocols.
If you want to play around in a safe, offline environment, you can experiment with the code snippet above (but never try this in real-world apps you don’t own!).
Timeline
Published on: 06/05/2023 15:15:00 UTC
Last modified on: 06/09/2023 22:42:00 UTC