Remote Prompt Injection in Gitlab Duo Leads to Source Code Theft

Get details on the vulnerabilities the Legit research team unearthed in GitLab Duo. TL;DR: A hidden comment was enough to make GitLab Duo leak private source code and inject untrusted HTML into its responses. GitLab patched the issue, and we’ll walk you through the full attack chain — which demonstrates five vulnerabilities from the 2025 OWASP Top 10 for LLMs. Background GitLab Duo, the AI assistant integrated into GitLab and powered by Anthropic’s Claude, is designed to help developers with tasks like code suggestions, security reviews, and merge request analysis. But what if the same AI meant to secure your code could be manipulated into leaking it? That’s exactly what we uncovered: a remote prompt injection vulnerability that allows attackers to steal source code from private projects, manipulate code suggestions shown to other users, and even exfiltrate confidential, undisclosed zero-day vulnerabilities — all through GitLab Duo Chat. In this blog post, we break down how the at ... Read full article.