The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to patch their systems against a five-year-old GitLab vulnerability that is actively being exploited in attacks.
GitLab patched this server-side request forgery (SSRF) flaw (tracked as CVE-2021-39935) in December 2021, saying it could allow unauthenticated attackers with no privileges to access the CI Lint API, which is used to simulate pipelines and validate CI/CD configurations.
“When user registration is limited, external users that aren’t developers shouldn’t have access to the CI Lint API,” the company said at the time.
“An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API.”
On Tuesday, CISA added the flaw to its list of vulnerabilities exploited in the wild and ordered Federal Civilian Executive Branch (FCEB) agencies to patch their systems within three weeks, by February 24, 2026, as mandated by Binding Operational Directive (BOD) 22-01.
While BOD 22-01 targets only federal agencies, CISA has urged all organizations, including those in the private sector, to prioritize securing their devices against ongoing CVE-2021-39935 attacks.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned. “Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”
Shodan is currently tracking over 49,000 devices with a GitLab fingerprint exposed online, the vast majority of which are from China, and nearly 27,000 are using the default port 443.
GitLab says its DevSecOps platform has more than 30 million registered users and is used by over 50% of Fortune 100 organizations, including high-profile companies such as Nvidia, Airbus, Goldman Sachs, T-Mobile, and Lockheed Martin.
Yesterday, CISA also flagged a critical SolarWinds Web Help Desk vulnerability as actively exploited and ordered government agencies to patch systems within three days.
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
