Our team noticed that using some string construction in markdown may cause it to fail and output error 502. Thus, disrupting the UI process. This may affect the work in places where there is a GraphQL attribute output.
Userobject in GraphQL :
Reportobject in GraphQL:
vulnerability_information_htmlattribute and other objects with attributes that output this data
We believe that there are two things here, both a partial dos attack and a negative effect in the work. For example, the hackerone_triage team, which checks a lot of reports, will constantly have problems opening the report and will ask the engineering team to change the state of the report to edit the message in markdown. Or you are a collaborator in one of the reports that is being prepared for disclosure. But we are able to respond in such cases. In this way, we can send a message and the report will not be shown, but instead error 502 will be called. Which will also lead to many calls to the support team to resolve these issues
These are just some of the attack vectors, but we believe there could be many more.
I put this in the code so that my PoC wouldn't work. You just need to paste it just by copying it. To be sure, try inserting it into a report created in the sandbox Our team believes that it makes sense to fix this error.