CISA ordered U.S. federal agencies to patch a five-year-old GitLab server-side request forgery vulnerability (CVE-2021-39935) that is being actively exploited. Although GitLab issued a patch in December 2021, CISA set a three-week deadline for federal agencies under BOD 22-01 and urged all organizations to prioritize mitigations. #CVE-2021-39935 #GitLab
Keypoints
- CISA added CVE-2021-39935 to its list of vulnerabilities exploited in the wild and ordered federal agencies to patch systems.
- The flaw is an SSRF in GitLabβs CI Lint API that can allow unauthenticated external users to perform server-side requests.
- GitLab released patches in December 2021 for affected versions, but many instances remain exposed online.
- Federal Civilian Executive Branch agencies must remediate within three weeks (by February 24, 2026) under BOD 22-01, and CISA urged private organizations to act as well.
- Shodan is tracking over 49,000 devices with a GitLab fingerprint exposed, and GitLab is widely used across major enterprises.