CVE-2021-22205

CVE Database · CVE-2021-22205

CVE-2021-22205

· CRITICALAnalyzed

CVSS v3.1

10.0

EPSS

99.73%

Published

Apr 23, 2021

Modified

Oct 24, 2025

CISA Known Exploited Vulnerability

Added: 2021-11-03 · Due: 2021-11-17

Apply updates per vendor instructions.

Public PoC / Exploit (11)

All weaponized →

Exploit-DBGitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)NucleiNuclei detection template TrickestTrickest PoC index GitHub PoCAl1ex/CVE-2021-22205★286 GitHub PoCinspiringz/CVE-2021-22205★238 GitHub PoCmr-r3bot/Gitlab-CVE-2021-22205★181 GitHub PoCXTeam-Wing/CVE-2021-22205★86 GitHub PoCr0eXpeR/CVE-2021-22205★69 GitHub PoCwhwlsfb/CVE-2021-22205★23 GitHub PoCc0okB/CVE-2021-22205★13 GitHub PoCkeven1z/CVE-2021-22205★12

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Weaknesses (CWE)

CWE-94CWE-94

Affected Products (6)

gitlab · gitlab (up to 13.8.8)vulnerable

gitlab · gitlab (up to 13.9.6)vulnerable

gitlab · gitlab (up to 13.10.3)vulnerable

References (11)

http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html

ExploitThird Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html

ExploitThird Party AdvisoryVDB Entry

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json

Vendor Advisory

https://gitlab.com/gitlab-org/gitlab/-/issues/327121

Broken Link

https://hackerone.com/reports/1154542

Permissions RequiredThird Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs