CVE-2021-39935
published 2021-12-13CVE-2021-39935: An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all…
PriorityP185high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-02-24
Exploited in the wild
EPSS
30.50%
98.0th percentile
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gitlab | < gitlab 15.10.8+ds1-2 (sid) | gitlab 15.10.8+ds1-2 (sid) |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab | >= 10.5.0 < 14.3.6 | 14.3.6 |
| gitlab | gitlab | >= 14.4.0 < 14.4.4 | 14.4.4 |
| gitlab | gitlab | >= 14.5.0 < 14.5.2 | 14.5.2 |
| gitlab | gitlab_ce | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST /api/v4/ci/lint?include_merged_yaml=true
command{"content":"include:\n remote: http://127.0.0.1/test.yml"}
command{"content": "include:\n remote: http://127.0.0.1:9100/test.yml"}
port9100
- →Detect SSRF exploitation attempts by monitoring POST requests to the CI Lint API endpoint with 'include: remote:' referencing internal/loopback addresses in the JSON body.
- →Alert on HTTP 200 responses from /api/v4/ci/lint containing the string 'does not have valid YAML syntax!' in the body combined with application/json content-type, which indicates the SSRF payload was processed.
- →Use Shodan/FOFA queries to identify exposed GitLab instances as potential targets: http.title:"GitLab" or title="gitlab".
- →Monitor for unauthenticated (no Authorization header) POST requests to /api/v4/ci/lint from external/non-developer users, as the vulnerability allows unauthorized external users to reach this endpoint. ↗
- →Flag CI Lint API requests whose JSON body contains 'include: remote:' pointing to RFC-1918 or loopback addresses (e.g., 127.0.0.1) as SSRF probes targeting internal network resources.
- ·The vulnerability is only exploitable when 'requests to the internal network for webhooks are enabled' on the GitLab instance, even if registration is restricted.
- ·The SSRF condition is triggered specifically when user registration is limited but external users are not properly blocked from the CI Lint API — instances with fully open registration may expose this to all users. ↗
- ·The Nuclei template targets CVE-2021-22214 but explicitly covers CVE-2021-39935 and CVE-2021-22175 as well, since the same SSRF primitive spans all three CVEs fixed in separate patches.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vulncheck6.8MEDIUM
cisa7.5HIGH
vendor_debian6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-22hj-9cx7-p2hw: An issue has been discovered in GitLab CE/EE affecting all versions starting from 10
ghsa_unreviewed·2021-12-14
CVE-2021-39935 [HIGH] CWE-918 GHSA-22hj-9cx7-p2hw: An issue has been discovered in GitLab CE/EE affecting all versions starting from 10
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API
OSV
CVE-2021-39935: An issue has been discovered in GitLab CE/EE affecting all versions starting from 10
osv·2021-12-13·CVSS 7.5
CVE-2021-39935 [HIGH] CVE-2021-39935: An issue has been discovered in GitLab CE/EE affecting all versions starting from 10
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API
VulnCheck
GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability
vulncheck·2021·CVSS 6.8
CVE-2021-39935 [MEDIUM] CWE-918 GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability
GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability
GitLab Community and Enterprise Editions contain a server-side request forgery vulnerability which could allow unauthorized external users to perform Server Side Requests via the CI Lint API.
Affected: GitLab Community and Enterprise Editions
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.greynoise.io/blog/new-ssrf-exploitation-surge; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2026-02-24
CISA
GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability
cisa·2026-02-03·CVSS 7.5
CVE-2021-39935 [HIGH] CWE-918 GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability
Vulnerability: GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability
Affected: GitLab Community and Enterprise Editions
GitLab Community and Enterprise Editions contain a server-side request forgery vulnerability which could allow unauthorized external users to perform Server Side Requests via the CI Lint API.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://about.gitlab.com/releases/2021/12/06/security-release-gitlab-14-5-2-released/ ; https://nvd.nist.gov/vuln/detail/CVE-2021-39935
Remediation Due Date: 2026-02-24
GitLab
CVE-2021-39935: An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, a
vendor_gitlab·2021-12-13·CVSS 6.8
CVE-2021-39935 [MEDIUM] CWE-918 CVE-2021-39935: An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, a
CVE-2021-39935: An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API
CISA KEV: GitLab Community and Enterprise Editions contain a server-side request forgery vulnerability which could allow unauthorized external users to perform Server Side Requests via the CI Lint API.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Debian
CVE-2021-39935: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...
vendor_debian·2021·CVSS 6.8
CVE-2021-39935 [MEDIUM] CVE-2021-39935: gitlab - An issue has been discovered in GitLab CE/EE affecting all versions starting fro...
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API
Scope: local
sid: resolved (fixed in 15.10.8+ds1-2)
No detection rules found.
Nuclei
Gitlab CE/EE 10.5 - Server-Side Request Forgery
nuclei·CVSS 9.8
CVE-2021-22214 [CRITICAL] Gitlab CE/EE 10.5 - Server-Side Request Forgery
Gitlab CE/EE 10.5 - Server-Side Request Forgery
GitLab CE/EE versions starting from 10.5 are susceptible to a server-side request forgery vulnerability when requests to the internal network for webhooks are enabled, even on a GitLab instance where registration is limited. The same vulnerability actually spans multiple CVEs, due to similar reports that were fixed across separate patches. These CVEs are:
- CVE-2021-39935
- CVE-2021-22214
- CVE-2021-22175
Template:
id: CVE-2021-22214
info:
name: Gitlab CE/EE 10.5 - Server-Side Request Forgery
author: Suman_Kar,GitLab Red Team
severity: high
description: |
GitLab CE/EE versions starting from 10.5 are susceptible to a server-side request forgery vulnerability when requests to the internal network for webhooks are enabled, even on a GitLab i
Bleepingcomputer
CISA warns of five-year-old GitLab flaw exploited in attacks
blogs_bleepingcomputer·2026-02-04·CVSS 6.8
CVE-2021-39935 [MEDIUM] CISA warns of five-year-old GitLab flaw exploited in attacks
## CISA warns of five-year-old GitLab flaw exploited in attacks
## Sergiu Gatlan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to patch their systems against a five-year-old GitLab vulnerability that is actively being exploited in attacks.
GitLab patched this server-side request forgery (SSRF) flaw (tracked as CVE-2021-39935 ) in December 2021, saying it could allow unauthenticated attackers with no privileges to access the CI Lint API, which is used to simulate pipelines and validate CI/CD configurations.
"When user registration is limited, external users that aren't developers shouldn't have access to the CI Lint API," the company said at the time.
"An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 b
Greynoiseio
New SSRF Exploitation Surge Serves as a Reminder of 2019 Capital One Breach
blogs_greynoiseio·2025-03-11
New SSRF Exploitation Surge Serves as a Reminder of 2019 Capital One Breach
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39935.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/346187https://hackerone.com/reports/1236965https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39935.jsonhttps://gitlab.com/gitlab-org/gitlab/-/issues/346187https://hackerone.com/reports/1236965https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39935
2021-12-13
Published
2026-02-03
Added to CISA KEV
Exploited in the wild