GitLab 18 Extends Duo AI Feature
Written by Kay Ewbank   
Thursday, 29 May 2025

GitLab 18 has been released with extensions to the Duo AI-based assistant. The news was followed by reports that Duo had a security vulnerability that provided a route for attackers. The problem has now been fixed. 

GitLab, the web-based repository manager for Git, specializes in providing a centralized, integrated platform for web developers with extensive features.

gitlab

Duo, which is powered by Anthropic's Claude model, is a tool that helps developers write, review, and analyze code. GitLab 18.0 improvements included GitLab Premium and Ultimate with Duo, automatic reviews with Duo Code Review, and better context handling by Duo Code Review. 

GitLab's AI-native features include code suggestions and chat within the IDE. The suggestions can be used to analyze, understand, and explain code, and to refactor code to improve performance or use specific libraries. 

The updated version extends Duo Code Review. Until now, developers had to manually request reviews on each merge request. The new release lets you configure GitLab Duo Code Review to run automatically on merge requests by updating your project's merge request settings. When enabled, Duo Code Review automatically reviews merge requests unless the request is marked as draft. 

The tool also provides more comprehensive context. It now includes a merge request's title and description, and it examines all diffs simultaneously to recognize cross-file relationships and reduce false positives. There's also a list showing the full content of changed files. 

After the release of GitLab 18, security researchers identified a remote prompt injection vulnerability in GitLab's Duo that would allow attackers to steal source code from private projects and  manipulate code suggestions shown to other users. The vulnerability has now been fixed, but shows an interesting way that AI-based tools could be misused.

According to the blog post by Legit Security, GitLab Duo would respond to prompts hidden in a variety of locations in GitLab projects. The vulnerability arose because Duo analyzes the entire context of the page, including comments, descriptions, and the source code — making it vulnerable to injected instructions hidden anywhere in that context. 

Because Duo scans and processes this content to offer helpful AI responses, the hidden prompts tricked it into taking malicious actions, without the user realizing it.

The researchers used a number of techniques to make their malicious prompts harder to spot, including Unicode smuggling with ASCII SmugglerBase; 16-encoded payloads; and KaTeX rendering in white text (to make prompts invisible inside GitLab's website). 

The team found that they could manipulate Duo's code suggestions, even instructing it to include a malicious JavaScript package within its recommended code. They could also get it to present a malicious URL as safe in Duo's response; causing the user to click it and land on a fake login page.

The researchers also found that because Duo uses a technique called streaming markdown rendering to provide HTML faster, they could insert malicious HTML tags and gain control over parts of the page — including the ability to insert elements like <img> tags that trigger automatic HTTP requests to attacker-controlled servers.

The GitLab team confirmed the HTML injection vulnerability and also acknowledged the prompt injection as a security issue. GitLab confirmed that both vectors had been remediated.

GitLab 18 (complete with fixes to remove the security vulnerability) is available now.

gitlab

More Information

GitLab Homepage

LegitSecurity Blog Post

Related Articles

GitLab Adds Google Cloud Integration

GitLab Releases Duo Chat

GitLab Adds Seamless Geo Experience

GitLab Adds Security Scan Policies

GitLab 14 Offers DIY DevOps Alternative

GitLab Goes Serverless

GitLab Adds Security Dashboards

GitLab Adds Auto DevOps

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner


Robot Combat Between Unitree G1s
01/06/2025

The world's first Humanoid Robot Kickboxing contest took place on May 25 in Hangzhou, China. While the event aimed to highlight the integration of AI and robotics, the robots weren't ac [ ... ]



Apache Syncope 4 Adds Live Sync
12/06/2025

Apache Syncope 4.0 Notturno has been released, with improvements including live sync,  OpenFGA integration, and a reworked persistence layer. Apache Syncope is an Open Source IAM (Identity A [ ... ]


More News

pico book

 

Comments




or email your comment to: comments@i-programmer.info