Introduction

When you think of importing a GitHub repository into GitLab, what’s the worst that could happen? For most, it’s a failed import or a few missing commits. But in one case, a critical Remote Command Execution (RCE) vulnerability hid behind GitLab’s GitHub import feature.

This write-up explores how a security researcher leveraged deserialization quirks, Redis protocol abuse, and overlooked method overrides to escalate a seemingly harmless feature into full server compromise earning a $33,510 bounty.

The Vulnerability at a Glance

• Platform: GitLab EE 15.3.1
• Vulnerability: Remote Code Execution via Redis command injection
• Bounty: $33,510
• Root Cause: Improper handling of attacker-controlled default_branch in GitHub import, allowing method override abuse in Sawyer::Resource
• Impact: Complete server compromise from a simple API request

The Discovery

1. The Context