CVE-2023-2825

CRITICAL NUCLEI

GitLab Authenticated File Read

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 8 public exploits for CVE-2023-2825. PoCs published by Occamsec, Groppoxx, alej6, including Metasploit module auxiliary/gather/gitlab_authenticated_subgroups_file_read. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2023-2825, demonstrating an unauthenticated arbitrary file read vulnerability in GitLab CE/EE 16.0.0 via path traversal. The PoC automates the creation of nested groups, uploads a file, and exploits the vulnerability to read /etc/passwd.

Description

An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.

Exploits (8)

nomisec WORKING POC 140 stars
by Occamsec · poc
https://github.com/Occamsec/CVE-2023-2825

This repository contains a functional Python exploit for CVE-2023-2825, demonstrating an unauthenticated arbitrary file read vulnerability in GitLab CE/EE 16.0.0 via path traversal. The PoC automates the creation of nested groups, uploads a file, and exploits the vulnerability to read /etc/passwd.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: GitLab CE/EE 16.0.0
Auth required
Prerequisites: GitLab instance running version 16.0.0 · Ability to create nested groups (11 levels) · Public repository access
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by Groppoxx · poc
https://github.com/Groppoxx/CVE-2023-2825-PoC

This repository contains a functional Python exploit for CVE-2023-2825, an arbitrary file read vulnerability in GitLab CE/EE 16.0.0. The exploit automates the creation of nested public groups and projects, then leverages path traversal in the upload functionality to read arbitrary files from the server.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: GitLab CE/EE 16.0.0
Auth required
Prerequisites: Valid GitLab account credentials · Public nested group creation permissions · Target running GitLab CE/EE 16.0.0
devstral-2 · analyzed May 18, 2026 Full analysis →
nomisec WRITEUP
by alej6 · poc
https://github.com/alej6/MassCyberCenter-Mentorship-Project-

This repository documents a mentorship project where the author exploited CVE-2023-2825, a path traversal vulnerability in GitLab 16.0.0, to read arbitrary files. The writeup includes technical details about the exploit, mitigation steps, and system administration practices.

Classification
Writeup 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: GitLab 16.0.0
No auth needed
Prerequisites: GitLab 16.0.0 installed on a vulnerable system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by cc3305 · poc
https://github.com/cc3305/CVE-2023-2825

This repository contains a functional Python exploit for CVE-2023-2825, targeting GitLab's path traversal vulnerability. The script automates the creation of nested groups to traverse directories and read arbitrary files, with support for authentication and proxy usage.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: GitLab CE/EE 16.0.0
Auth required
Prerequisites: Valid GitLab credentials · Target running vulnerable GitLab version
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by caopengyan · poc
https://github.com/caopengyan/CVE-2023-2825

This repository contains a functional exploit PoC for CVE-2023-2825, a path traversal vulnerability in GitLab. The script sends a crafted HTTP request to read arbitrary files (e.g., /etc/passwd) by exploiting improper path sanitization in nested group projects.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: GitLab (versions affected by CVE-2023-2825)
No auth needed
Prerequisites: Public project with attachments nested in at least five groups
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by Rubikcuv5 · poc
https://github.com/Rubikcuv5/CVE-2023-2825

This repository contains a functional exploit for CVE-2023-2825, a path traversal vulnerability in GitLab CE/EE 16.0.0. The PoC automates the exploitation process by creating nested groups, a project, uploading a file, and then leveraging a path traversal to read arbitrary files (e.g., /etc/passwd).

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0
Auth required
Prerequisites: Valid credentials for a GitLab instance · GitLab instance running version 16.0.0
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by Tornad0007 · poc
https://github.com/Tornad0007/CVE-2023-2825-Gitlab

This repository contains a functional Python exploit for CVE-2023-2825, a path traversal vulnerability in GitLab 16.0.0. The PoC automates the creation of nested groups, a public repository, and file upload to exploit the vulnerability and read arbitrary files (e.g., /etc/passwd).

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0
Auth required
Prerequisites: GitLab 16.0.0 instance · Valid user credentials · Ability to create nested groups and repositories
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC
by h00die, pwnie, Vitellozzo · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/gitlab_authenticated_subgroups_file_read.rb

This Metasploit module exploits a directory traversal vulnerability in GitLab 16.0.0, allowing authenticated users to read arbitrary files by creating nested groups and a project to facilitate path traversal.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: GitLab 16.0.0
Auth required
Prerequisites: Valid GitLab credentials · Ability to create groups and projects · GitLab version 16.0.0
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

GitLab 16.0.0 - Path Traversal
HIGHVERIFIEDby DhiyaneshDk,rootxharsh,iamnoooob,pdresearch
Shodan: title:"Gitlab" || cpe:"cpe:2.3:a:gitlab:gitlab" || http.title:"gitlab"
FOFA: title="gitlab"

References (3)

Core 3

Scores

CVSS v3 10.0
EPSS 0.7164
EPSS Percentile 99.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-22
Status published
Products (1)
gitlab/gitlab 16.0.0 (2 CPE variants)
Published May 26, 2023
Tracked Since Feb 18, 2026