CVE-2021-22205

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were...

Basic Information

CVE State: PUBLISHED
Reserved Date: January 05, 2021
Published Date: April 23, 2021
Last Updated: February 06, 2025
Vendor: GitLab
Product: GitLab
Description: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

CVSS Scores

CVSS v3.1

10.0 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2021-11-03 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2021-10-30 11:54:29 UTC) Source

References

https://hackerone.com/reports/1154542 https://gitlab.com/gitlab-org/gitlab/-/issues/327121 https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html

Known Exploited Vulnerability Information

Source	Added Date
CISA	2021-11-03 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/gitlab_exif_rce.rb	2025-04-29 11:01:21 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-22205.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

keven1z/CVE-2021-22205

Type: github • Created: 2022-07-20 16:57:57 UTC • Stars: 12

CVE-2021-22205 检测脚本,支持getshell和命令执行

pizza-power/Golang-CVE-2021-22205-POC

Type: github • Created: 2021-11-25 12:47:27 UTC • Stars: 3

A CVE-2021-22205 Gitlab RCE POC written in Golang

inspiringz/CVE-2021-22205

Type: github • Created: 2021-11-11 04:34:07 UTC • Stars: 224

GitLab CE/EE Preauth RCE using ExifTool

faisalfs10x/GitLab-CVE-2021-22205-scanner

Type: github • Created: 2021-11-09 18:19:43 UTC • Stars: 6

runsel/GitLab-CVE-2021-22205-

Type: github • Created: 2021-11-05 16:56:06 UTC • Stars: 3

Exploit for GitLab CVE-2021-22205 Unauthenticated Remote Code Execution

shang159/CVE-2021-22205-getshell

Type: github • Created: 2021-11-01 06:06:04 UTC • Stars: 3

CVE-2021-22205-getshell

c0okB/CVE-2021-22205

Type: github • Created: 2021-10-31 14:34:51 UTC • Stars: 13

CVE-2021-22205 RCE

Seals6/CVE-2021-22205

Type: github • Created: 2021-10-31 04:15:30 UTC • Stars: 35

CVE-2021-22205未授权漏洞批量检测与利用工具

findneo/GitLab-preauth-RCE_CVE-2021-22205

Type: github • Created: 2021-10-30 11:54:29 UTC • Stars: 3

PoC in single line bash

whwlsfb/CVE-2021-22205

Type: github • Created: 2021-10-30 02:56:34 UTC • Stars: 22

CVE-2021-22205 Gitlab 未授权远程代码执行漏洞 EXP, 移除了对djvumake & djvulibre的依赖，可在win平台使用

Al1ex/CVE-2021-22205

Type: github • Created: 2021-10-29 04:30:45 UTC • Stars: 273

CVE-2021-22205& GitLab CE/EE RCE

ZZ-SOCMAP/CVE-2021-22205

Type: github • Created: 2021-10-29 04:15:00 UTC • Stars: 7

Gitlab CE/EE RCE 未授权远程代码执行漏洞 POC && EXP CVE-2021-22205

r0eXpeR/CVE-2021-22205

Type: github • Created: 2021-10-28 14:02:51 UTC • Stars: 68

CVE-2021-22205 Unauthorized RCE

XTeam-Wing/CVE-2021-22205

Type: github • Created: 2021-10-28 06:29:37 UTC • Stars: 86

Pocsuite3 For CVE-2021-22205

mr-r3bot/Gitlab-CVE-2021-22205

Type: github • Created: 2021-06-05 15:42:16 UTC • Stars: 182