CVE-2021-22204

Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the...

Basic Information

CVE State: PUBLISHED
Reserved Date: January 05, 2021
Published Date: April 23, 2021
Last Updated: February 06, 2025
Vendor: ExifTool
Product: ExifTool
Description: Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image

CVSS Scores

CVSS v3.1

6.8 - MEDIUM

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

SSVC Information

Exploitation: active
Technical Impact: partial

Exploit Status

Exploited in the Wild: Yes (added 2021-11-17 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2021-11-04 14:31:02 UTC) Source

References

https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800 https://hackerone.com/reports/1154542 https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22204.json https://www.debian.org/security/2021/dsa-4910 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U4RF6PJCJ6NQOVJJJF6HN6BORUQVIXY6/ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDKDLJLBTBBR66OOPXSXCG2PQRM5KCZL/ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6UOBPU3LSHAPRRJNISNVXZ5DSUIALLV/ http://www.openwall.com/lists/oss-security/2021/05/09/1 http://www.openwall.com/lists/oss-security/2021/05/10/5 http://packetstormsecurity.com/files/162558/ExifTool-DjVu-ANT-Perl-Injection.html https://lists.debian.org/debian-lts-announce/2021/05/msg00018.html http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html http://packetstormsecurity.com/files/167038/ExifTool-12.23-Arbitrary-Code-Execution.html

Known Exploited Vulnerability Information

Source	Added Date
CISA	2021-11-17 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/gitlab_exif_rce.rb	2025-04-29 11:01:21 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

gitlab_exif_rce

Type: metasploit • Created: Unknown

Metasploit module for CVE-2021-22204

Akash7350/CVE-2021-22204

Type: github • Created: 2023-05-14 03:43:28 UTC • Stars: 4

UNICORDev/exploit-CVE-2021-22204

Type: github • Created: 2022-04-16 22:49:47 UTC • Stars: 41

Exploit for CVE-2021-22204 (ExifTool) - Arbitrary Code Execution

mr-tuhin/CVE-2021-22204-exiftool

Type: github • Created: 2022-02-21 11:07:19 UTC • Stars: 8

exiftool exploit

0xBruno/CVE-2021-22204

Type: github • Created: 2022-01-30 03:11:56 UTC • Stars: 2

A complete PoC for CVE-2021-22204 exiftool RCE

trganda/CVE-2021-22204

Type: github • Created: 2021-12-29 13:41:35 UTC • Stars: 3

ph-arm/CVE-2021-22204-Gitlab

Type: github • Created: 2021-11-04 14:31:02 UTC • Stars: 2

Modification of gitlab exploit anything under 13.10

AssassinUKG/CVE-2021-22204

Type: github • Created: 2021-08-02 18:56:16 UTC • Stars: 27

PenTestical/CVE-2021-22204

Type: github • Created: 2021-08-02 09:11:27 UTC • Stars: 3

bilkoh/POC-CVE-2021-22204

Type: github • Created: 2021-05-21 00:14:52 UTC • Stars: 8

POC for exiftool vuln (CVE-2021-22204).

se162xg/CVE-2021-22204

Type: github • Created: 2021-05-12 08:51:44 UTC • Stars: 11

exiftool arbitrary code execution vulnerability

convisolabs/CVE-2021-22204-exiftool

Type: github • Created: 2021-05-11 18:45:07 UTC • Stars: 93

Python exploit for the CVE-2021-22204 vulnerability in Exiftool