cbcvebase.
CVE-2021-39935
published 2021-12-13

CVE-2021-39935: An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all…

PriorityP185high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-02-24
Exploited in the wild
EPSS
30.50%
98.0th percentile
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API

Affected

9 ranges
VendorProductVersion rangeFixed in
debiangitlab< gitlab 15.10.8+ds1-2 (sid)gitlab 15.10.8+ds1-2 (sid)
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab
gitlabgitlab>= 10.5.0 < 14.3.614.3.6
gitlabgitlab>= 14.4.0 < 14.4.414.4.4
gitlabgitlab>= 14.5.0 < 14.5.214.5.2
gitlabgitlab_ce

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /api/v4/ci/lint?include_merged_yaml=true
command{"content":"include:\n remote: http://127.0.0.1/test.yml"}
command{"content": "include:\n remote: http://127.0.0.1:9100/test.yml"}
port9100
  • Detect SSRF exploitation attempts by monitoring POST requests to the CI Lint API endpoint with 'include: remote:' referencing internal/loopback addresses in the JSON body.
  • Alert on HTTP 200 responses from /api/v4/ci/lint containing the string 'does not have valid YAML syntax!' in the body combined with application/json content-type, which indicates the SSRF payload was processed.
  • Use Shodan/FOFA queries to identify exposed GitLab instances as potential targets: http.title:"GitLab" or title="gitlab".
  • Monitor for unauthenticated (no Authorization header) POST requests to /api/v4/ci/lint from external/non-developer users, as the vulnerability allows unauthorized external users to reach this endpoint.
  • Flag CI Lint API requests whose JSON body contains 'include: remote:' pointing to RFC-1918 or loopback addresses (e.g., 127.0.0.1) as SSRF probes targeting internal network resources.
  • ·The vulnerability is only exploitable when 'requests to the internal network for webhooks are enabled' on the GitLab instance, even if registration is restricted.
  • ·The SSRF condition is triggered specifically when user registration is limited but external users are not properly blocked from the CI Lint API — instances with fully open registration may expose this to all users.
  • ·The Nuclei template targets CVE-2021-22214 but explicitly covers CVE-2021-39935 and CVE-2021-22175 as well, since the same SSRF primitive spans all three CVEs fixed in separate patches.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vulncheck6.8MEDIUM
cisa7.5HIGH
vendor_debian6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.