Description
mcp-gitlab contains a path traversal vulnerability in the job_id parameter of build/index.js that allows attackers to redirect GitLab API requests to arbitrary endpoints. Attackers can supply crafted job_id values like ../../../user to escape the intended path prefix and access arbitrary GitLab API resources using the operator's personal access token.
Problem types
External Control of File Name or Path
Product status
Any version before 2.1.18
Credits
George Chen
References
github.com/zereight/gitlab-mcp/issues/587
github.com/zereight/gitlab-mcp/issues/587 (Pull Issue)
github.com/zereight/gitlab-mcp (Product Details)
github.com/...ommit/e2a81a047ab8750fa5bfa1763b5d85e5616f3994 (Patch Commit)
www.vulncheck.com/...lab-path-traversal-via-job-id-parameter