Cyber Resilience

CVE-2024-10383

High

Published: 07 February 2025

Published
07 February 2025
Modified
14 August 2025
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0043 63.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-10383 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gitlab Gitlab. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2024-10383 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, in the gitlab-web-ide-vscode-fork component distributed over CDN. It affects all versions of this component prior to 1.89.1-1.0.0-dev-20241118094343. The component is used by all versions of GitLab Community Edition (CE) and Enterprise Edition (EE) starting from 15.11 prior to 17.3, and it also temporarily affected versions 17.4, 17.5, and 17.6. The issue arises when loading .ipynb files in the web IDE.

The vulnerability carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N). Exploitation requires low privileges and is network-accessible with low attack complexity, but it demands user interaction. An attacker can trigger XSS by inducing a victim to load a malicious .ipynb file in the web IDE, achieving high impacts on confidentiality and integrity with a changed scope.

Mitigation details are available in the referenced advisories, including the GitLab issue at https://gitlab.com/gitlab-org/gitlab/-/issues/500785 and the HackerOne report at https://hackerone.com/reports/2765778. Affected instances should update the gitlab-web-ide-vscode-fork component to version 1.89.1-1.0.0-dev-20241118094343 or later, as incorporated in supported GitLab versions beyond the affected ranges.

EU & UK References

Vulnerability details

An issue has been discovered in the gitlab-web-ide-vscode-fork component distributed over CDN affecting all versions prior to 1.89.1-1.0.0-dev-20241118094343and used by all versions of GitLab CE/EE starting from 15.11 prior to 17.3 and which also temporarily affected versions 17.4, 17.5 and…

more

17.6, where a XSS attack was possible when loading .ipynb files in the web IDE

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

XSS in public-facing GitLab web IDE enables direct exploitation of the application (T1190) and arbitrary JavaScript execution in victim browser context (T1059.007) via malicious .ipynb file load.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-14560Same product: Gitlab Gitlab
CVE-2025-2255Same product: Gitlab Gitlab
CVE-2026-0752Same product: Gitlab Gitlab
CVE-2025-0314Same product: Gitlab Gitlab
CVE-2025-12716Same product: Gitlab Gitlab
CVE-2025-13761Same product: Gitlab Gitlab
CVE-2025-9222Same product: Gitlab Gitlab
CVE-2026-1090Same product: Gitlab Gitlab
CVE-2026-6073Same product: Gitlab Gitlab
CVE-2026-7377Same product: Gitlab Gitlab

Affected Assets

gitlab
gitlab
17.4.0, 17.5.0, 17.6.0 · 15.11.0 — 17.3.0 · 15.11.0 — 17.3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Filters output from .ipynb files in the web IDE to prevent execution of malicious scripts causing XSS.

prevent

Validates inputs from .ipynb files prior to processing in the gitlab-web-ide-vscode-fork component to block malicious XSS payloads.

prevent

Ensures timely remediation of the XSS flaw by updating the vulnerable gitlab-web-ide-vscode-fork component to a patched version.

References