Qodo’s Commitment to Security and Quality

At Qodo, we take software quality and software security seriously and continuously work to improve the robustness of our products. Recently, a security researcher presented findings regarding vulnerabilities in Qodo Merge, primarily affecting open-source repositories. We appreciate the efforts of the security community and want to provide clarity on our response, the fixes we have implemented, and our ongoing commitment to security.

Background:

• PR-Agent is an open-source tool: https://github.com/qodo-ai/pr-agent
• Qodo Merge is a closed-source application with a separate codebase and various integration options, e.g. as a GitHub app: https://github.com/apps/qodo-merge-pro

Understanding the Security Report

The reported vulnerabilities centered around potential privilege escalation on GitLab, unauthorized write access to GitHub repositories, and the leakage of repository secrets. These issues were specific to only open-source projects using Qodo Merge, and did not affect private repositories or enterprise customers.

It is important to note:

• The vulnerabilities required an attacker to have specific access to a repository where Qodo Merge was installed.
• We have found that some of the reported attack vectors relied on outdated configurations or versions that had since been modified.And,
• One of the attack methods was only viable when using GPT-4, while our default model has been Claude for over three months.

Security Fixes Implemented

Upon reviewing the research findings, we implemented the following fixes:

• Sanitizing the /ask tool to prevent unintended command execution.
• Restricting parameter overrides from pull request comments, ensuring critical settings cannot be manipulated externally.
• We’ve further hardened the app, e.g. with further __

The security patches addressing these concerns have been merged and deployed, for example:

• PR #1426
  • Sanitizing. E.g. preventing the answer of the `/ask` command to start with  `/` so it won’t trigger GitLab’s own commands that also starts with `/` like `/approve`.
• PR #1425
  • Forbidding certain arguments. E.g. expanding the list of restricted sensitive configuration parameters in CLI arguments.

Addressing the Communication Gap

We acknowledge that security communication is crucial. While we made efforts to engage with the researcher after the initial disclosure, there were misalignments in response timelines. We regret any frustration this caused and have taken steps to improve our handling of security reports, including:

• Establishing a dedicated security contact: [email protected]
• Enhancing our SECURITY.md documentation across all repositories
• Implementing a .well-known/security.txt on our website for clear reporting guidelines

Looking Ahead: Strengthening Security Practices

Security in AI-assisted development is an evolving challenge. We are committed to continuously improving our security posture through:

• Regular audits and penetration testing (done regularly)
• Clearer security disclosure policies (work in progress, ETA 25’Q1)
• Expanding responsible disclosure programs, including potential bug bounties (work in progress, ETA 25’Q2)
• Improving default configurations and mitigations for prompt injection to minimize risk for our open-source users (work in progress, ETA 25’Q2)

We recognize that prompt injection and LLM security remain open research challenges. We actively monitor developments in this space and will continue refining our security guardrails as best practices emerge. Once again, our Enterprise clients using Qodo Merge on their inner-source—whether self-hosted or Qodo-hosted— were exposed only to internal users’ pull request interaction, which could have resulted in prompt injections (e.g., internal users that have access to their internal GitLab repos).

We recommend readers to follow security best practices such as defense in depth, least privilege principle and to look after OWASP Top 10 LLMs for more security guidance.

Acknowledging the Security Research Community

We appreciate the work of researchers like Nils Amiet and their contributions to making Qodo Merge and the broader ecosystem more secure. Their insights have helped drive security improvements that benefit both open-source and enterprise users.

We have made efforts, e.g. by responding via email to Nils right away when receiving the first report. While we developed the fixes in a short time, we acknowledge that we should have persisted in our communication efforts with Nils and learning from this we have put forward a plan to establish a formal bug bounty program in FY2025. .

Conclusion

Our mission at Qodo is to build high-quality, secure AI-powered development tools. While no system is immune to security challenges, our rapid response to these findings demonstrates our commitment to transparency, security, and customer trust. We will continue working with the security community to uphold the highest standards in AI-driven software development.

For any security concerns, please reach out to [email protected].