A Five-Year-Old GitLab Flaw Puts Organizations at Risk
The U.S. government is on high alert, with the Cybersecurity and Infrastructure Security Agency (CISA) issuing a critical warning about a GitLab vulnerability that has been lurking for half a decade. This flaw, a server-side request forgery (SSRF) issue, was first patched by GitLab in December 2021, but its impact is still being felt.
The vulnerability, identified as CVE-2021-39935, could allow unauthorized users to access the CI Lint API, a powerful tool used to test and validate CI/CD pipelines. GitLab's initial patch addressed the issue, stating, "External users without developer privileges should not have access to the CI Lint API when user registration is restricted." But here's where it gets controversial—this flaw has been exploited in the wild, and the impact is far-reaching.
CISA has taken swift action, adding CVE-2021-39935 to its list of known exploited vulnerabilities and ordering federal agencies to patch their systems by February 24, 2026. But the risk extends beyond government networks. Shodan, a search engine for internet-connected devices, has identified over 49,000 devices with GitLab fingerprints exposed online, many of which are from China. And this is the part most people miss—GitLab's DevSecOps platform is used by over 30 million registered users, including half of the Fortune 100 companies. That's a massive potential attack surface.
CISA's warning is clear: organizations must prioritize patching this flaw to protect their systems. But with thousands of exposed devices and a popular platform at risk, the question remains—how many organizations will heed the warning in time?
In other news, CISA also flagged a critical SolarWinds Web Help Desk vulnerability, urging government agencies to patch systems within three days. The cybersecurity landscape is ever-evolving, and these incidents highlight the need for constant vigilance.
Modern IT infrastructure demands modern solutions. Learn how to streamline your team's workflows and enhance security in the latest Tines guide, where you'll discover the future of IT infrastructure.
