CISA Alerts: Old GitLab Bug Actively Exploited in Attacks
▼ Summary
– CISA ordered U.S. federal agencies to patch a known GitLab vulnerability (CVE-2021-39935) that is being actively exploited.
– The flaw is a server-side request forgery (SSRF) in GitLab’s CI Lint API, allowing unauthorized external users to perform server-side requests.
– Federal agencies must apply patches by February 24, 2026, but CISA urges all organizations, including private sector, to prioritize this fix.
– Over 49,000 GitLab devices are exposed online, with GitLab’s platform used by major companies and over 50% of Fortune 100 organizations.
– This directive follows another recent CISA order to patch a critical, exploited SolarWinds vulnerability within three days.
A critical security flaw in GitLab, first addressed years ago, is now the focus of urgent warnings from U.S. cybersecurity authorities due to active exploitation. The Cybersecurity and Infrastructure Security Agency (CISA) has mandated that all federal civilian agencies apply patches for this vulnerability within a strict three-week deadline. This directive highlights the ongoing threat posed by older, unpatched software vulnerabilities that attackers continue to leverage for unauthorized access.
The specific issue, identified as CVE-2021-39935, is a server-side request forgery (SSRF) weakness that GitLab resolved in December 2021. It affects a wide range of GitLab Community and Enterprise Edition versions. The flaw resides within the CI Lint API, a tool developers use to test and validate continuous integration pipelines. Under certain configurations, this vulnerability could allow individuals without any authentication or special privileges to make unauthorized server-side requests, potentially accessing sensitive internal systems.
Originally, GitLab’s advisory noted that when user registration is restricted, external users who are not developers should not have access to this particular API endpoint. Despite the patch being available for over five years, many systems remain unupdated, creating a large attack surface for threat actors.
CISA has now formally added this vulnerability to its Known Exploited Vulnerabilities catalog. This action triggers Binding Operational Directive (BOD) 22-01, which requires Federal Civilian Executive Branch agencies to secure their systems against this flaw by February 24, 2026. While the directive legally binds only federal agencies, CISA strongly recommends that all organizations, including private sector companies, immediately prioritize patching to defend against ongoing attacks. The agency emphasized that such flaws are common vectors for malicious cyber activity and pose substantial risks.
Internet scanning data reveals the scale of the potential problem, with tens of thousands of GitLab instances currently exposed online. A significant portion of these are accessible via the default web port, indicating they may be internet-facing and potentially vulnerable if not updated. Given that GitLab’s platform boasts over 30 million registered users and is employed by more than half of Fortune 100 companies, including major names in technology, finance, and aerospace, the implications of widespread exploitation are severe.
This alert follows another recent CISA warning concerning a critically exploited vulnerability in SolarWinds software, for which agencies were given just three days to patch. The consecutive advisories underscore a heightened focus on compelling rapid action against known security weaknesses that are under active attack, pushing organizations to move beyond simple vulnerability awareness to concrete remediation.
(Source: Bleeping Computer)
