What is GitLab?
GitLab Community Edition (CE) and Enterprise Edition (EE) are widely deployed source code management and DevOps platforms used by enterprises, government agencies, and software development organizations to host Git repositories, manage CI/CD pipelines, and coordinate software development. Self-hosted GitLab instances contain source code for all of an organization's software projects — compromising GitLab provides access to intellectual property, credentials embedded in code, CI/CD pipeline secrets, and the ability to inject malicious code into software builds. GitLab is one of the highest-value targets for both espionage actors and ransomware operators.
Overview
CVE-2021-22205 is a remote code execution vulnerability (CWE-94, code injection) in GitLab CE/EE arising from an unsafe dependency on ExifTool (CVE-2021-22204) for image file processing. When users upload images through the GitLab Workhorse component, Workhorse passes the files to ExifTool to extract and strip metadata. ExifTool had an arbitrary code execution vulnerability in its parsing of DjVu files — specially crafted files with malicious metadata trigger shell command execution. Because GitLab Workhorse invoked ExifTool without sandboxing, the exploit results in code execution on the GitLab server without any authentication. GitLab patched in April 2021, but mass exploitation did not begin until October 2021 — six months later — when public proof-of-concept code became widely available. At peak exploitation, an estimated 50% of internet-exposed GitLab instances remained unpatched.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| GitLab CE/EE 11.9 through 13.8.7 | Yes | 13.8.8 |
| GitLab CE/EE 13.9.0 through 13.9.5 | Yes | 13.9.6 |
| GitLab CE/EE 13.10.0 through 13.10.2 | Yes | 13.10.3 |
Technical Details
The attack chain combines two vulnerabilities: GitLab's use of ExifTool and ExifTool's own code injection bug:
- Root cause: Code injection (CWE-94) — ExifTool (CVE-2021-22204) parses DjVu files and evaluates Perl code embedded in certain metadata fields without sanitization. GitLab Workhorse invokes ExifTool on all uploaded image files
- Attack path: Attacker uploads a specially crafted file (disguised as an image but containing malicious DjVu metadata) to any GitLab endpoint that accepts file uploads — including unauthenticated endpoints (e.g., the user registration avatar upload)
- Authentication required: None — GitLab Workhorse processes uploads before authentication is checked on some endpoints, making this a zero-auth exploit
- Scope: Changed — The exploit escapes the context of GitLab's file upload handling to execute OS commands on the server hosting GitLab
- Code execution context: Commands run as the GitLab application user (
git) on self-hosted installations, giving access to all GitLab data, configuration files, and secrets
Discovery
The underlying ExifTool vulnerability (CVE-2021-22204) was discovered by security researcher William Bowling. GitLab's exposure was identified when researchers realized that GitLab Workhorse called ExifTool on uploaded files without sandboxing. GitLab issued an emergency patch in April 2021.
Exploitation Context
Despite the April 2021 patch, mass exploitation began in earnest in late October 2021 following the publication of ready-to-use proof-of-concept exploit code. Threat actors deployed cryptominers, webshells, and ransomware on compromised GitLab instances. The source code repositories accessible after compromise represent a secondary impact: stolen source code, embedded credentials, and injected backdoors in CI/CD pipelines can have cascading effects long after the initial intrusion. Rapid7 analysis confirmed active exploitation across hundreds of GitLab instances globally.
Remediation
- Update GitLab to version 13.10.3, 13.9.6, or 13.8.8 — or any later version
- Check for unauthorized webshells in the GitLab installation directory and uploaded file storage
- Review GitLab audit logs for unexpected repository access, pipeline changes, or new user registrations
- Rotate all GitLab application secrets, runner tokens, and any credentials stored in CI/CD variables
- Audit all repositories for unauthorized commits or modified
.gitlab-ci.ymlfiles that could inject malicious build steps - Restrict network access to GitLab — self-hosted GitLab instances should not be directly internet-accessible unless necessary; use VPN or allowlisted IP ranges
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-22205 |
| Vendor / Product | GitLab — Community and Enterprise Editions |
| NVD Published | 2021-04-23 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 10 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-94 find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-04-07 | GitLab issues Security Release 13.10.3, 13.9.6, 13.8.8 patching CVE-2021-22205 |
| 2021-04-23 | CVE published; root cause linked to ExifTool CVE-2021-22204 |
| 2021-10 | Mass exploitation begins; researchers estimate ~50% of internet-exposed GitLab instances unpatched |
| 2021-11-01 | Rapid7 publishes detailed exploitation analysis confirming ransomware and cryptominer deployment |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| GitLab Security Release 13.10.3 — April 2021 | Vendor Advisory |
| ExifTool Security Advisory GHSA-66p8-j459-rq63 (CVE-2021-22204) | Security Research |
| Rapid7 — GitLab Unauthenticated RCE Exploited in the Wild | Security Research |
| NVD — CVE-2021-22205 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |