CVE-2021-22175

What is GitLab Webhooks?

GitLab webhooks allow projects to send HTTP POST notifications to external URLs when events occur — such as code pushes, merge requests, issue updates, or pipeline completions. These webhooks are configured with a target URL and GitLab makes outbound HTTP requests to that URL when events trigger. When GitLab's webhook functionality is configured to allow requests to internal network addresses, the webhook system becomes an SSRF vector: an attacker who can configure (or whose request triggers) a webhook to an internal URL can cause the GitLab server to make requests to internal services — reaching cloud metadata APIs, internal management interfaces, or other services not directly accessible from the internet. GitLab's admin configuration determines whether internal network webhook requests are permitted.

Overview

CVE-2021-22175 is a Server-Side Request Forgery vulnerability (CWE-918) in GitLab Community and Enterprise Editions. When the GitLab admin setting "Allow requests to the local network from webhooks and integrations" is enabled, external unauthenticated users can perform SSRF via the webhook functionality, causing the GitLab server to make HTTP requests to internal network addresses. The Scope: Changed (S:C) with high Confidentiality (C:H) reflects that SSRF can reach internal services across a security boundary, potentially including cloud instance metadata services that leak IAM credentials. Patched in GitLab 13.7.9, 13.8.6, 13.9.4 (March 2021). CISA added it to KEV in February 2026 — five years after the patch.

Affected Versions

Technical Details

• Root cause: SSRF (CWE-918) via webhook URL handling — when GitLab admin allows webhook requests to internal network addresses, the webhook delivery mechanism does not adequately restrict what URLs can be targeted; an external attacker who can trigger a webhook (through creating a project, submitting a merge request, or other event-triggering actions) can target the webhook at internal network addresses, causing the GitLab server to make outbound requests on the attacker's behalf
• Admin configuration dependency: The vulnerability is triggered when "Allow requests to the local network from webhooks and integrations" is enabled in GitLab admin settings — a configuration some organizations enable for internal integrations; however, even when this setting is off, alternate exploitation paths may exist
• AC:H complexity: The High Complexity rating reflects that exploitation requires specific conditions — appropriate event triggering, webhook configuration access, or alternate bypass paths — rather than a simple unauthenticated request
• Scope: Changed / C:H: SSRF via GitLab webhooks can reach cloud metadata services (169.254.169.254), Kubernetes API servers, internal database endpoints, or other services behind the GitLab server's network position; accessing cloud metadata endpoints without IMDSv2 yields IAM credentials (C:H)
• Five-year KEV delay: CISA's February 2026 addition comes five years after the March 2021 patch — reflecting the persistent presence of unpatched self-hosted GitLab instances in enterprise and government environments

Discovery

Patched in GitLab 13.9.4 security release (March 4, 2021). CISA's February 2026 KEV addition (five years post-patch) reflects active exploitation of GitLab instances that had not been updated through five years of security releases — a common scenario with self-hosted GitLab deployments where update cycles are infrequent.

Exploitation Context

GitLab SSRF vulnerabilities are used to probe internal network infrastructure and steal cloud credentials. In cloud-hosted GitLab deployments, CVE-2021-22175 enables: (1) reading the cloud instance metadata service to steal IAM role credentials, (2) probing internal microservices and APIs not otherwise accessible from the internet, and (3) mapping internal network topology via webhook response variations. The five-year gap between patch and KEV addition demonstrates that even 2021-era vulnerabilities in widely deployed software remain active exploitation targets when the installed base includes many unpatched legacy instances.

Remediation

1. Upgrade GitLab to 13.7.9, 13.8.6, 13.9.4, or any later version — patches the webhook SSRF
2. Review and disable "Allow requests to the local network from webhooks and integrations" in GitLab admin settings unless specifically required: Admin area → Settings → Network → Outbound requests → uncheck the internal network option
3. Configure GitLab's outbound request allowlist to restrict webhook destinations to only known, approved external services
4. Enable IMDSv2 on cloud instances hosting GitLab — this prevents SSRF from accessing the metadata endpoint to steal IAM credentials
5. Apply network egress controls from the GitLab server to block outbound connections to private IP ranges
6. Maintain a regular GitLab update schedule — GitLab releases frequent security patches; self-hosted instances should be updated at least with every minor security release