CISA warns of GitLab five-year-old flaw
The US Cybersecurity and Infrastructure Security Agency (CISA) is directing federal agencies to address a long-standing GitLab vulnerability after determining it is being actively exploited.
The issue, identified as CVE-2021-39935, is a server-side request forgery (SSRF) flaw that GitLab fixed in December 2021. Exploitation could allow unauthenticated attackers to interact with the CI Lint API, a component used to test and validate CI/CD pipeline configurations, potentially enabling access to internal services through server-side requests.
GitLab noted at disclosure that external users should not be able to reach the CI Lint API in environments where user registration is restricted.
The vulnerability impacts GitLab Community Edition and Enterprise Edition deployments, including versions beginning with 10.5 prior to 14.3.6, versions 14.4 before 14.4.4, and versions 14.5 before 14.5.2. In affected systems, unauthorized users may abuse the CI Lint API to initiate server-side requests.
CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, activating remediation requirements under Binding Operational Directive (BOD) 22-01. Federal Civilian Executive Branch agencies have until February 24, 2026, to implement fixes or mitigations.
While the directive applies only to federal agencies, CISA encouraged private-sector organizations to treat the issue as a priority, noting that SSRF vulnerabilities are frequently leveraged by threat actors.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said, advising organizations to apply vendor guidance, follow cloud-related mitigation requirements, or discontinue use of affected products if fixes are not available.
Internet-facing exposure remains substantial. Shodan data indicates more than 49,000 GitLab instances are accessible online, most of them located in China, with nearly 27,000 operating on the default HTTPS port.
GitLab reports that its DevSecOps platform serves over 30 million registered users and is used by more than half of Fortune 100 companies, including Nvidia, Airbus, Goldman Sachs, T-Mobile, and Lockheed Martin.
CISA also issued a separate alert this week for a critical SolarWinds Web Help Desk vulnerability, adding it to the KEV catalog and imposing the same three-week remediation deadline for federal agencies.
Follow Us On – X.com, Telegram, LinkedIN, Discord Server,
For The Latest Updates, Vulnerability Insights, Security News, Cyberattack Scoops And Cybersecurity Best Practices Delivered Straight To Your Inbox – Subscribe To Our Newsletter
