Skip to content
feed: live about
>_ 0dayNews
CVE Record
[ CRITICAL ] CVE-2021-22205

GitLab CE/EE ExifTool Remote Code Execution

An improper-validation vulnerability in GitLab Community Edition and Enterprise Edition allows an unauthenticated attacker to achieve remote code execution by uploading a crafted image file processed through a vulnerable ExifTool image-metadata parser.

cat cve-2021-22205.json
Vendor
GitLab
Product
GitLab CE/EE
CVSS
9.9
Status
kev
Published

CVE-2021-22205 is a critical remote-code-execution vulnerability in GitLab Community Edition and Enterprise Edition, originally patched in April 2021 but not widely recognized as pre-authentication remote code execution until researchers re-analyzed and demonstrated full exploitation in late 2021 — at which point exploitation in the wild began at scale. The flaw sits in GitLab’s handling of uploaded image files: a crafted image processed through a vulnerable bundled ExifTool library could trigger code execution on the GitLab server, reachable by any unauthenticated user able to reach an image-upload endpoint.

Why it mattered

GitLab instances host an organization’s source code, CI/CD pipeline configuration, and often embedded secrets and deployment credentials — a compromise is rarely contained to “just” the Git server. Because the original April 2021 patch notes didn’t clearly convey the severity of unauthenticated pre-auth RCE, a large number of GitLab instances remained unpatched for months; once public proof-of-concept exploit code circulated in late 2021, mass scanning and exploitation of internet-exposed GitLab servers followed, with attackers using compromised instances for cryptomining and further network pivoting.

CISA added the CVE to its KEV catalog in late 2021 once active exploitation was confirmed at scale, well after the original patch had shipped — a reminder that patch availability and patch adoption are not the same thing. Full technical detail and patch guidance are in GitLab’s security release notes and at the NVD link above.