Cyber Resilience

CVE-2021-22205

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linkedRCE

Published: 23 April 2021

Published
23 April 2021
Modified
24 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9447 100.0th percentile
Risk Priority 97 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-22205 is a critical-severity Code Injection (CWE-94) vulnerability in Gitlab Gitlab. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Deeper analysis

The vulnerability CVE-2021-22205 is an improper input validation flaw under CWE-94 that affects GitLab Community Edition and Enterprise Edition in all versions starting from 11.9. GitLab failed to properly validate image files passed to a file parser, resulting in remote command execution.

This issue can be exploited remotely by unauthenticated attackers over the network with low attack complexity and no required user interaction. A successful attack yields complete impact on confidentiality, integrity, and availability, with a CVSS 3.1 base score of 10.0 reflecting the potential for full system compromise.

References such as the GitLab CVE repository entry, associated issue tracker, and HackerOne report point to official advisories and patches for remediation, while public exploit artifacts on PacketStorm demonstrate practical attack methods against the affected versions.

EU & UK References

Vulnerability details

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

gitlab
gitlab
11.9.0 — 13.8.8 · 11.9.0 — 13.8.8 · 13.9.0 — 13.9.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of image file inputs to the parser, blocking the malformed content that triggers RCE in CVE-2021-22205.

preventdetect

Deploys malicious-code detection mechanisms that can identify and block the command-execution payload delivered via the unvalidated image file.

preventdetect

Requires integrity verification of both the uploaded image and the parser component, detecting tampering that leads to the remote command execution.

References