CISA has added a five-year-old GitLab SSRF vulnerability to its list of actively exploited flaws, ordering federal agencies to patch within three weeks while warning all organizations to secure their systems against ongoing attacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a five-year-old GitLab vulnerability that is currently being exploited in active attacks. The agency has ordered federal agencies to patch their systems within three weeks, while simultaneously urging all organizations to prioritize securing their GitLab instances against this threat.
The Vulnerability: CVE-2021-39935
The flaw in question, tracked as CVE-2021-39935, is a server-side request forgery (SSRF) vulnerability that GitLab patched back in December 2021. This critical vulnerability affects GitLab Community Edition (CE) and Enterprise Edition (EE) across multiple versions:
- All versions from 10.5 before 14.3.6
- All versions from 14.4 before 14.4.4
- All versions from 14.5 before 14.5.2
The vulnerability allows unauthenticated attackers with no privileges to access the CI Lint API, which is designed to simulate pipelines and validate CI/CD configurations. When user registration is limited, external users who aren't developers shouldn't have access to this API, but the flaw breaks this security boundary.
Active Exploitation and Federal Response
On Tuesday, CISA added CVE-2021-39935 to its catalog of known exploited vulnerabilities, triggering a mandatory patching deadline for Federal Civilian Executive Branch (FCEB) agencies. These agencies must apply mitigations by February 24, 2026, as mandated by Binding Operational Directive (BOD) 22-01.
While BOD 22-01 specifically targets federal agencies, CISA has made it clear that this is not just a government problem. The agency is strongly recommending that all organizations, including those in the private sector, prioritize securing their GitLab instances against ongoing attacks.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned in its advisory. The agency recommends applying vendor-provided mitigations, following applicable BOD 22-01 guidance for cloud services, or discontinuing use of the product if mitigations are unavailable.
Widespread Exposure and Impact
According to Shodan data, there are currently over 49,000 devices with a GitLab fingerprint exposed online. The vast majority of these are located in China, with nearly 27,000 using the default port 443. This widespread exposure creates a significant attack surface for malicious actors.
GitLab's reach is substantial in the enterprise world. The company claims its DevSecOps platform has more than 30 million registered users and is used by over 50% of Fortune 100 organizations. High-profile customers include Nvidia, Airbus, Goldman Sachs, T-Mobile, and Lockheed Martin, making this vulnerability particularly concerning for critical infrastructure and major corporations.
Context: Multiple Active Threats
This GitLab warning comes as part of a broader pattern of CISA identifying and responding to actively exploited vulnerabilities. Just yesterday, the agency also flagged a critical SolarWinds Web Help Desk vulnerability as being actively exploited, ordering government agencies to patch those systems within three days.
This dual warning underscores the current threat landscape where both old, unpatched vulnerabilities and newly discovered flaws are being weaponized by attackers. Organizations need to maintain robust vulnerability management programs that can identify and remediate both recent and legacy security issues.
Mitigation Steps
For organizations running GitLab, immediate action is recommended:
- Check your GitLab version against the affected versions listed above
- Apply the latest security patches if running vulnerable versions
- Review access controls on the CI Lint API and other potentially vulnerable endpoints
- Monitor for suspicious activity that might indicate exploitation attempts
- Consider network segmentation to limit exposure of GitLab instances
GitLab has provided detailed security advisories and patch information for each affected version. Organizations should consult GitLab's official documentation and security advisories for specific upgrade paths and mitigation strategies.
The Broader Lesson
The active exploitation of a five-year-old vulnerability serves as a stark reminder that security debt accumulates over time. Even well-known, documented vulnerabilities can remain exploitable years after patches become available, particularly in complex enterprise environments where upgrade processes can be lengthy and disruptive.
This incident highlights the importance of:
- Maintaining current asset inventories
- Implementing automated vulnerability scanning
- Prioritizing patch management based on exploitability
- Having incident response plans ready for known exploited vulnerabilities
As threat actors continue to exploit both new and old vulnerabilities, organizations must adopt a proactive security posture that addresses the full spectrum of potential attack vectors, from the latest zero-days to vulnerabilities that have been known for years.
Comments
Please log in or register to join the discussion