CVE-2024-9387 - Exploiting Open Redirect in GitLab Releases API (11.8–17.6.2)

An open redirect vulnerability is often considered low-to-medium risk—but, in the wrong hands, it can be used for phishing, stealing credentials, or leading users to malicious websites without their knowledge. CVE-2024-9387 is an open redirect flaw recently discovered in GitLab Community Edition (CE) and Enterprise Edition (EE), specifically affecting all versions from 11.8 up to 17.4.6, 17.5 up to 17.5.4, and 17.6 up to 17.6.2. In this long read, we’ll break down what the vulnerability is, how it’s exploited, and what you can do to patch or protect your systems. Whether you’re a GitLab admin or just interested in web security, this guide has you covered.

What is CVE-2024-9387?

CVE-2024-9387 is an open redirect issue in the [GitLab][1] Releases API endpoint. When a release is created or updated via the API, certain parameters (such as asset url) are not properly validated. This allows an attacker to craft a URL that redirects an unsuspecting user to their own malicious website.

Affected Versions

- CE/EE 11.8 to 17.4.5

17.6.2

Read the official GitLab security advisory [here][2].

Why Does Open Redirect Matter?

Usually, web apps only let users redirect to safe, trusted URLs. An open redirect bug means attackers can make a link that looks like it goes to a legit site, but actually lands someone somewhere dangerous. Common criminal uses include:

How CVE-2024-9387 Works

This vulnerability centers around GitLab's Releases API. When creating or updating a “release”, there’s a parameter for specifying an asset link, typically pointing to a binary download or documentation.

Normally, only whitelisted/allowed URLs should be accepted, or there should at least be a check to prevent redirection to external, potentially dangerous sites. In the affected versions… this check didn’t happen.

Proof of Concept: Exploiting the Bug

Let’s see how an attacker would use this in practice.

1. Craft a Malicious Release Asset

Using the (authenticated) Releases API, an attacker (or an internal malicious user) creates a fake release with an external asset link.

Example Request (cURL)

curl --request POST "https://gitlab.example.com/api/v4/projects/123/releases"; \
--header "PRIVATE-TOKEN: attacker_token" \
--form "name=Malicious Release" \
--form "tag_name=v1..-m" \
--form "description=Look at this cool download!" \
--form "assets[links][][name]=Malicious Link" \
--form "assets[links][][url]=https://evil.com/phish";

Note: The vulnerable endpoint is /api/v4/projects/:id/releases.

2. Victim Clicks the Link

When viewing this release in GitLab (web UI or API), the link “Malicious Link” is shown. The url is not sanitized or checked. Victims could be tricked into clicking the release’s asset, thinking it’s a legit part of the software, and are instantly redirected to https://evil.com/phish.

Example HTML in GitLab page

<a href="https://gitlab.example.com/api/v4/projects/123/releases/v1../assets/links/567">;
  Malicious Link
</a>

But when you access that link, it results in a redirect to the attacker’s external URL due to missing validation.

3. Real-World Impact

- This is dangerous if the attacker has any privileges to create releases (for example, a compromised maintainer's account, or a public project allowing MRs and PRs).
- The malicious link appears as part of the official GitLab instance, so it may easily bypass security warnings.

Monitor your GitLab logs for Releases API calls where url is an external (non-local) link.

- Flag hostnames not belonging to your org (e.g., url with http[s]:// that does not match your domain).

Example Query (using jq for API logs)

cat access.log | grep "/releases" | grep "url=http" | grep -v "yourdomain.com"

In Summary

Open redirects may not be the flashiest vulnerability, but CVE-2024-9387 in GitLab could be a powerful phishing or malware campaign vector—especially in the context of a trusted developer platform. If you haven’t already, patch your GitLab instance immediately. If you can’t, restrict API write access, and audit public links.

> As always, treat third-party web links in trusted applications with skepticism, and stay vigilant for suspicious redirects!


[1]: https://gitlab.com/
[2]: https://about.gitlab.com/releases/2024/06/25/security-release-gitlab-17-6-2-released/
[3]: https://about.gitlab.com/install/
[4]: https://nvd.nist.gov/vuln/detail/CVE-2024-9387
[5]: https://owasp.org/www-community/attacks/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

Timeline

Published on: 12/12/2024 12:15:28 UTC