GitLab SSRF leads to Critical Information Disclosure (CVE-2021-22175)

Listen to this Post

When requests to the internal network for webhooks are enabled, a server-side request forgery (SSRF) vulnerability in GitLab affects all versions starting from 10.5. This flaw allows an unauthenticated attacker to force the GitLab server to make HTTP requests to internal network resources, even on instances where user registration is disabled . The vulnerability exists due to insufficient validation of user-supplied input in the webhook functionality . By crafting a malicious webhook URL that points to internal IP addresses or localhost, an attacker can bypass access controls. The server then acts as a proxy, sending requests to internal systems and returning the responses to the attacker . This can lead to the exposure of sensitive data from internal services, such as cloud metadata endpoints (e.g., AWS IAM credentials), internal APIs, or other services not intended to be publicly accessible . While GitLab’s initial assessment rated this as medium severity (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N, base score 6.8) , the NVD has since assigned a critical score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting the high potential for complete system compromise if sensitive internal services are reachable . The issue was reported via HackerOne and patched in versions 13.8.4, 13.7.7, and 13.6.7 .

dailycve form:

Platform: GitLab
Version: 10.5+
Vulnerability: Server-Side Request Forgery
Severity: Critical
date: Jun 11 2021

Prediction: Already Patched (2021)

What Undercode Say:

Analytics:

CVSS Score Conflict: GitLab Inc. assigned a MEDIUM 6.8 score, while NIST NVD re-scored it as CRITICAL 9.8 .
Exploitation in Wild: A coordinated surge in SSRF exploitation, including this CVE, was detected by GreyNoise on March 9, 2025 .
Attack Vector: Network-based, requiring no privileges or user interaction .
Impact Scope: Successful exploit can lead to High Confidentiality, Integrity, and Availability impact .
EPSS Score: As of March 2025, the Exploit Prediction Scoring System (EPSS) probability was 16.6%, indicating a high likelihood of exploitation .

How Exploit:

The attacker crafts a request to the GitLab webhook endpoint, specifying a URL that points to an internal or restricted resource.

Hypothetical exploitation pattern:
1. Attacker identifies a GitLab instance with webhooks enabled.
2. Attacker sends a POST request to the project webhook settings or test endpoint.
3. The request contains a payload URL targeting internal infrastructure.
Example conceptual payload:
URL = http://169.254.169.254/latest/meta-data/ AWS Metadata endpoint
URL = http://localhost:9200 Internal Elasticsearch
URL = http://internal-gitlab-db.example.com:5432 Internal database
The GitLab server, not the attacker's browser, makes this request.
If successful, the response from the internal service is returned to the attacker.

The vulnerability lies in the server-side handling of the webhook URL, where it fails to properly validate or block requests to private IP ranges .
Attackers can chain this with DNS rebinding techniques to bypass simple blocklists .

Protection from this CVE:

1. Immediate Patching: Upgrade to the fixed versions.
For Omnibus installations:
sudo gitlab-ctl upgrade
For source installations, update to:
v13.8.4, v13.7.7, or v13.6.7
2. Verify the current GitLab version:
sudo gitlab-rake gitlab:env:info | grep GitLab
or
head -1 /opt/gitlab/version-manifest.txt
3. Mitigation (if immediate patching is not possible):
- Disable webhooks if not absolutely necessary, or restrict their usage to specific, trusted users.
- Implement network-level controls (e.g., firewalls, IDS/IPS) to block outbound traffic from the GitLab server to sensitive internal IP ranges (like 127.0.0.0/8, 169.254.169.254/32, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
- Monitor GitLab server logs for unusual outbound connection attempts.
4. Detection: Check logs for requests to internal IPs originating from the webhook handler.
sudo grep -r "webhook" /var/log/gitlab/gitlab-rails/ | grep -E "(127.0.0.1|169.254.169.254|10.|172.(1[6-9]|2[0-9]|3[0-1])|192.168.)"

Impact:

Critical Information Disclosure: An unauthenticated attacker can read sensitive data from internal networks, including cloud instance metadata, which can contain credentials for privileged access .
Internal Network Scanning: The vulnerability can be used to map internal network topologies and identify live hosts and services .
Potential for RCE: In complex environments, SSRF can be chained with other exploits against internal services (e.g., vulnerable administrative panels or databases) to achieve remote code execution on internal systems, escalating the impact from information disclosure to full system compromise .
Widespread Exploitation: The inclusion of this CVE in a coordinated, multi-IP exploitation campaign in March 2025 highlights its continued relevance and the risk it poses to unpatched systems .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top