The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2023-1708

CVE-2023-1708: GitLab CE/EE RCE Vulnerability

CVE-2023-1708 is a remote code execution vulnerability in GitLab CE/EE that exploits non-printable characters in clipboard data to execute unexpected commands. This article covers technical details, affected versions, and mitigation.

Published: February 4, 2026

CVE-2023-1708 Overview

A critical command injection vulnerability has been identified in GitLab CE/EE that allows attackers to execute unexpected commands on victim machines through non-printable characters copied from the clipboard. This vulnerability affects all GitLab versions from 1.0 prior to 15.8.5, versions 15.9 prior to 15.9.4, and version 15.10 prior to 15.10.1. The flaw enables malicious actors to embed hidden commands within seemingly innocuous text that, when copied and pasted by a victim, can execute arbitrary commands on their system.

Critical Impact

This vulnerability allows remote attackers to achieve command execution on victim machines without authentication by exploiting improper handling of non-printable characters in clipboard operations, potentially leading to full system compromise.

Affected Products

  • GitLab Community Edition (CE) versions 1.0 to 15.8.4
  • GitLab Enterprise Edition (EE) versions 1.0 to 15.8.4
  • GitLab CE/EE versions 15.9.0 to 15.9.3
  • GitLab CE/EE version 15.10.0

Discovery Timeline

  • 2023-04-05 - CVE-2023-1708 published to NVD
  • 2025-02-10 - Last updated in NVD database

Technical Details for CVE-2023-1708

Vulnerability Analysis

This vulnerability stems from improper handling of non-printable characters within GitLab's clipboard functionality. When users copy text from GitLab interfaces, hidden non-printable characters can be embedded within the copied content. These characters are not visible to the user but are preserved in the clipboard. When the victim pastes this content into a terminal or command-line interface, the non-printable characters can include control sequences or command delimiters that cause unintended command execution.

The vulnerability is classified under CWE-77 (Command Injection) and CWE-94 (Code Injection), indicating that the core issue involves insufficient sanitization of input that allows injection of executable commands. The attack can be performed remotely over the network without requiring any authentication or user interaction beyond the victim copying and pasting content.

Root Cause

The root cause of this vulnerability lies in GitLab's failure to properly sanitize or strip non-printable characters from content that can be copied to the clipboard. Web applications typically handle visible text, but clipboard operations can preserve hidden control characters such as escape sequences, carriage returns, and other non-printable ASCII characters. GitLab's code failed to filter these dangerous characters before allowing content to be copied, creating an attack surface where malicious payloads could be embedded within seemingly safe text.

Attack Vector

The attack leverages the network-accessible nature of GitLab instances. An attacker can craft malicious content containing non-printable characters and host it within GitLab repositories, issues, merge requests, or other GitLab interfaces. When a victim user copies this content—believing it to be harmless code snippets, commands, or text—the hidden characters are also copied. If the victim then pastes this content into a terminal, the embedded commands execute automatically.

For example, an attacker could embed a newline character followed by a malicious command within what appears to be a simple file path or code snippet. When pasted into a terminal, the newline causes the terminal to execute the first line immediately, then run the hidden malicious command as a separate instruction. This technique is sometimes referred to as "pastejacking" and can result in data theft, malware installation, or complete system compromise depending on the victim's privileges and system configuration.

Detection Methods for CVE-2023-1708

Indicators of Compromise

  • Unusual command executions in terminal logs that don't match user-initiated actions
  • Presence of non-printable characters (ASCII control codes 0x00-0x1F, 0x7F) in GitLab content such as issues, comments, or repository files
  • Unexpected outbound network connections following copy-paste operations from GitLab
  • Evidence of clipboard manipulation scripts or content with hidden escape sequences in GitLab repositories

Detection Strategies

  • Implement content inspection rules to detect non-printable characters in GitLab content fields
  • Deploy endpoint detection and response (EDR) solutions to monitor for suspicious command-line activity following browser interactions
  • Analyze web application logs for requests containing encoded non-printable characters
  • Monitor for anomalous process spawning patterns that correlate with clipboard paste events

Monitoring Recommendations

  • Enable comprehensive logging on GitLab instances to track content creation and modification events
  • Configure SIEM rules to correlate GitLab access events with subsequent suspicious terminal activity on user endpoints
  • Implement browser-based security controls that warn users about clipboard content containing non-printable characters
  • Regularly audit GitLab repositories and issues for content containing suspicious character sequences

How to Mitigate CVE-2023-1708

Immediate Actions Required

  • Upgrade GitLab CE/EE to version 15.8.5, 15.9.4, or 15.10.1 or later immediately
  • Review GitLab instances for any suspicious content containing non-printable characters
  • Educate users about the risks of copying and pasting content from untrusted sources into terminals
  • Consider implementing clipboard sanitization tools or browser extensions for sensitive environments

Patch Information

GitLab has released security patches addressing this vulnerability. Organizations should upgrade to the following fixed versions:

  • GitLab 15.8.5 for users on the 15.8.x branch
  • GitLab 15.9.4 for users on the 15.9.x branch
  • GitLab 15.10.1 for users on the 15.10.x branch

Detailed patch information and upgrade instructions are available through the GitLab CVE Database Entry. Additional technical discussion can be found in the GitLab Issue Discussion and the original HackerOne Security Report.

Workarounds

  • Implement web application firewall (WAF) rules to detect and block content containing suspicious non-printable character sequences
  • Configure terminal emulators to display or warn about non-printable characters before executing pasted content
  • Use intermediary text editors that strip non-printable characters before pasting content into terminals
  • Restrict access to GitLab instances from untrusted networks until patches can be applied
bash
# Example: Upgrade GitLab to patched version
sudo apt-get update
sudo apt-get install gitlab-ce=15.10.1-ce.0

# Verify GitLab version after upgrade
gitlab-rake gitlab:env:info | grep "GitLab information"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechGitlab
  • SeverityCRITICAL
  • CVSS Score9.8
  • EPSS Probability0.72%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-77
  • CWE-94
  • Technical References
  • GitLab Issue Discussion
  • HackerOne Security Report
  • Vendor Resources
  • GitLab CVE Database Entry
  • Related CVEs
  • CVE-2026-1868: GitLab AI Gateway RCE Vulnerability
  • CVE-2025-13761: GitLab RCE Vulnerability
  • CVE-2021-22205: GitLab CE/EE RCE Vulnerability
  • CVE-2022-2884: GitLab CE/EE RCE Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English