Security researchers have uncovered a critical vulnerability in GitLab Duo, Anthropic’s Claude-powered AI assistant, that allowed attackers to manipulate the system into leaking private source code and injecting malicious HTML content.
The exploit chain demonstrates multiple vulnerabilities from the 2025 OWASP Top 10 for LLMs, highlighting significant risks in AI-integrated development platforms.
The vulnerability exploited GitLab Duo’s context-awareness feature, which analyzes entire project contexts including merge request descriptions, commit messages, issue comments, and source code to generate helpful responses.
Researchers discovered that Duo would respond to hidden prompts embedded anywhere within this contextual data, creating an attack vector through seemingly innocent project content.
To make these malicious prompts less detectable, attackers employed sophisticated encoding methods including Unicode smuggling with ASCII Smuggler, Base16-encoded payloads, and KaTeX rendering in white text.
The KaTeX formatting technique proved particularly effective, allowing attackers to publish invisible instructions within GitLab’s interface that remained undetectable to human reviewers while still being processed by the AI assistant.
These hidden instructions could manipulate Duo’s behavior in several dangerous ways, including suggesting malicious JavaScript packages in code recommendations, presenting harmful URLs as safe, and convincing the AI to endorse malicious merge requests as secure.
The technique effectively turned the AI assistant into an unwitting accomplice for social engineering attacks against developers.
HTML Injection Enables Data Exfiltration
The most severe aspect of the vulnerability emerged from GitLab Duo’s real-time markdown rendering system.
Researchers observed that Duo’s responses were rendered progressively as they streamed in, creating a window for HTML injection before proper sanitization could occur.
This asynchronous parsing meant that malicious HTML tags could be interpreted and rendered before the full response structure was established.
While GitLab implemented DOMPurify sanitization to prevent XSS attacks, certain HTML tags like <img>, <form>, and <a> weren’t removed by default.
Exploiting this gap, attackers crafted prompts that instructed Duo to extract sensitive information from private projects, encode it in Base64, and embed it within injected HTML image tags that would automatically trigger HTTP requests to attacker-controlled servers.
The attack scenario involved embedding hidden prompts in public project content, then exploiting Duo’s elevated permissions to access private repositories that the victim user could view.
When victims interacted with Duo for routine code reviews, the AI would unknowingly execute the malicious instructions, leading to automatic exfiltration of confidential source code through seemingly innocent image loading requests.
GitLab Patches Critical Security Flaw
Following responsible disclosure on February 12, 2025, GitLab confirmed both the HTML injection vulnerability and prompt injection as legitimate security issues.
The company implemented comprehensive patches through duo-ui!52, specifically preventing Duo from rendering unsafe HTML tags that point to external domains outside gitlab.com infrastructure.
The vulnerability’s implications extended beyond code theft to potentially exposing zero-day vulnerability reports and confidential security disclosures stored in private GitLab issues.
This demonstrated how AI assistants integrated into development workflows inherit not just helpful context, but also significant security risks that require careful mitigation strategies in enterprise environments.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?resize=1068,580&ssl=1&description=Security researchers have uncovered a critical vulnerability in GitLab Duo, Anthropic's Claude-powered AI assistant, that allowed attackers to manipulate the system.){kind=link}