CVE-2024-0402

CRITICAL LAB

GitLab 16.0-16.8.1 Path Traversal & Arbitrary File Write via Workspace

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-0402. PoCs published by doyensec.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-0402, leveraging a malicious Devfile Registry to perform arbitrary file writes on GitLab instances via path traversal in the registry-support library. The exploit overwrites the SSH authorized_keys file to achieve remote code execution as the 'git' user.

Description

An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace.

Exploits (1)

nomisec WORKING POC 15 stars

by doyensec · poc

https://github.com/doyensec/malicious-devfile-registry

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-0402, leveraging a malicious Devfile Registry to perform arbitrary file writes on GitLab instances via path traversal in the registry-support library. The exploit overwrites the SSH authorized_keys file to achieve remote code execution as the 'git' user.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: GitLab EE <=16.8.0

Auth required

Prerequisites: GitLab instance with Workspaces enabled · Developer authentication · Access to modify repository's .devfile.yaml

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Broken Link issue-tracking

https://gitlab.com/gitlab-org/gitlab/-/issues/437819

Vendor Advisory

https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/

Scores

CVSS v3 9.9

EPSS 0.0330

EPSS Percentile 86.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Lab Environment

COMMUNITY SUSPICIOUS

Community Lab

docker pull registry.access.redhat.com/ubi8/go-toolset:1.18

docker pull quay.io/devfile/devfile-index-base:next

https://github.com/doyensec/malicious-devfile-registry

View in Library

Details

CWE

CWE-22

Status published

Products (6)

gitlab/gitlab 16.8.0 (2 CPE variants)

GitLab/GitLab 16.0 - 16.5.8

gitlab/gitlab 16.0.0 - 16.5.8 (2 CPE variants)

GitLab/GitLab 16.6 - 16.6.6

GitLab/GitLab 16.7 - 16.7.4

GitLab/GitLab 16.8 - 16.8.1

Published Jan 26, 2024

Tracked Since Feb 18, 2026