In a startling revelation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a serious warning regarding a vulnerability in GitLab that has been around for five years but is still being actively exploited in cyberattacks today. This flaw, known as CVE-2021-39935, relates to a server-side request forgery (SSRF) issue that could allow unauthorized attackers to gain access to vital systems without needing any special privileges.
Back in December 2021, GitLab addressed this specific vulnerability, emphasizing that it could permit unauthenticated users to exploit the CI Lint API—a tool used for simulating pipelines and validating Continuous Integration/Continuous Deployment (CI/CD) configurations. The company clearly stated at the time, "When user registration is limited, external users who are not developers should not have access to the CI Lint API."
GitLab's announcement pointed out that the flaw affected all versions of their software starting from 10.5 up to 14.3.6, as well as versions 14.4 up to 14.4.4, and from 14.5 up to 14.5.2. This means that unauthorized external users could potentially execute server-side requests via the CI Lint API, posing a significant security risk.
Recently, CISA added this critical flaw to its catalog of vulnerabilities that are currently being exploited in the wild. They have mandated that all Federal Civilian Executive Branch (FCEB) agencies must patch their systems by February 24, 2026, following the guidelines set forth in Binding Operational Directive (BOD) 22-01. Although this directive specifically targets federal agencies, CISA strongly encourages all organizations, including those in the private sector, to take immediate action in securing their systems against ongoing attacks related to CVE-2021-39935.
CISA has warned, "These types of vulnerabilities are common attack vectors for malicious cyber actors and pose significant risks to the federal enterprise." They recommend that organizations apply the necessary mitigations as directed by the vendor, adhere to the BOD 22-01 guidance on cloud services, or cease using the product if no effective mitigations are available.
Current data from Shodan reveals that there are over 49,000 devices worldwide that feature a GitLab fingerprint and are exposed online, with the majority located in China. Notably, nearly 27,000 of these devices are operating on the default port 443, making them particularly vulnerable.
GitLab boasts over 30 million registered users on its DevSecOps platform, which is utilized by more than half of Fortune 100 companies, including notable names like Nvidia, Airbus, Goldman Sachs, T-Mobile, and Lockheed Martin. As such, the implications of this vulnerability extend far beyond individual organizations, potentially affecting the broader landscape of IT infrastructure security.
In addition to the GitLab issue, CISA recently highlighted a critical vulnerability in SolarWinds Web Help Desk software, which is also being actively exploited, and has urged government agencies to implement patches within three days.
As we move further into the future of IT infrastructure, organizations must recognize the speed at which modern cyber threats evolve and the necessity of proactive security measures. If you're interested in learning how to streamline your processes and bolster your organization's defenses against such vulnerabilities, check out the latest guide from Tines, which offers insights into reducing manual delays, enhancing reliability through automation, and building intelligent workflows that integrate seamlessly with existing tools.
