gitpod-io/gitpod

gitpod-io/gitpod

Releases1.94K

Frequency1 day

Last Release 3 days ago

Stars13.7K

The developer platform for on-demand cloud development environments to create software faster and more securely.

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2025-55750 ↗	Aug 29, 2025Friday, 29 August 2025, 16:15	6.5 MEDIUM	—
Gitpod is a developer platform for cloud development environments. In versions before main-gha.33628 for both Gitpod Classic and Gitpod Classic Enterprise, OAuth integration with Bitbucket in certain conditions allowed a crafted link to expose a valid Bitbucket access token via the URL fragment when clicked by an authenticated user. This resulted from how Bitbucket returned tokens and how Gitpod handled the redirect flow. The issue was limited to Bitbucket (GitHub and GitLab integrations were not affected), required user interaction, and has been mitigated through redirect handling and OAuth logic hardening. The issue was resolved in main-gha.33628 and later. There are no workarounds.
CVE-2024-21583 ↗	Jul 19, 2024Friday, 19 July 2024, 05:15	4.1 MEDIUM	—
Versions of the package github.com/gitpod-io/gitpod/components/server/go/pkg/lib before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/components/ws-proxy/pkg/proxy before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/auth before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/public-api-server before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/server before main-gha.27122; versions of the package @gitpod/gitpod-protocol before 0.1.5-main-gha.27122 are vulnerable to Cookie Tossing due to a missing __Host- prefix on the _gitpod_io_jwt2_ session cookie. This allows an adversary who controls a subdomain to set the value of the cookie on the Gitpod control plane, which can be assigned to an attacker’s own JWT so that specific actions taken by the victim (such as connecting a new Github organization) are actioned by the attackers session.
CVE-2023-32766 ↗	Jun 5, 2023Monday, 5 June 2023, 15:15	6.1 MEDIUM	—
Gitpod before 2022.11.3 allows XSS because redirection can occur for some protocols outside of the trusted set of three (vscode: vscode-insiders: jetbrains-gateway:).
CVE-2023-0957 ↗	Mar 3, 2023Friday, 3 March 2023, 08:15	8.2 HIGH	—
An issue was discovered in Gitpod versions prior to release-2022.11.2.16. There is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability that allows attackers to make WebSocket connections to the Gitpod JSONRPC server using a victim’s credentials, because the Origin header is not restricted. This can lead to the extraction of data from workspaces, to a full takeover of the workspace.
CVE-2021-35206 ↗	Jun 22, 2021Tuesday, 22 June 2021, 14:15	6.1 MEDIUM	5.8 MEDIUM
Gitpod before 0.6.0 allows unvalidated redirects.