What happened

CISA added GitLab CVE-2021-39935 to the Known Exploited Vulnerabilities (KEV) catalog, confirming in-the-wild exploitation and mandating federal remediation timelines CISA KEV. The entry describes a server-side request forgery (SSRF) in GitLab Community and Enterprise Editions that lets unauthorized external users perform server-side requests via the CI Lint API CISA KEV. The CVE tracks as an SSRF class issue mapped to CWE-918 in public databases NVD CVE-2021-39935, MITRE CVE.

Per CISA’s KEV policy, federal civilian agencies are required to apply vendor mitigations or discontinue use where unavailable, in alignment with BOD 22-01 timelines; for this entry, the due date is 2026-02-24 CISA KEV. The KEV listing explicitly ties the risk to unauthenticated abuse of the CI Lint API to coerce GitLab into making outbound requests CISA KEV, which is consistent with the NVD’s SSRF classification for this CVE NVD CVE-2021-39935.

Why it matters

An SSRF primitive inside a DevOps platform like GitLab is high leverage: it turns the server into a proxy for attacker-chosen requests when reachable from the internet NVD CVE-2021-39935. CISA’s inclusion in KEV means exploitation has been observed, not hypothetical, which elevates this from “patch soon” to “treat as an active threat” CISA KEV. Because the reported condition allows “unauthorized external users” to invoke the CI Lint API, the barrier to entry is low for opportunistic scanning and mass exploitation against exposed instances CISA KEV.

SSRF vulnerabilities commonly enable network pivoting through the vulnerable host’s trust boundaries, aligned with CWE-918’s definition of the class MITRE CVE. In a CI/CD context, that can mean access paths that don’t exist from the public internet but do from the GitLab server, complicating detection if you rely solely on perimeter telemetry NVD CVE-2021-39935.

Technical detail

CVE-2021-39935 is an SSRF in GitLab’s CI Lint API surface that can be driven by external, unauthenticated users to force the GitLab server to initiate outbound requests CISA KEV. NVD records this as a server-side request forgery vulnerability (CWE-918), reinforcing the impact category and typical abuse pattern: the attacker supplies a crafted URL/target and the server performs the fetch NVD CVE-2021-39935, MITRE CVE.

Practically, exploitation flow is straightforward: locate an exposed GitLab instance, hit the CI Lint API endpoint with attacker-controlled parameters, and coerce outbound network activity from the GitLab host CISA KEV. Given KEV status, this pattern is not theoretical; adversaries are leveraging it in the wild against affected versions of GitLab CE/EE CISA KEV. The absence of authentication on the abused pathway reduces prerequisites, which drives scanning volume and automated exploitation attempts CISA KEV.

Two telemetry implications follow from SSRF abuse: you will see legitimate inbound HTTP to GitLab followed by GitLab-originated egress to attacker-selected destinations, and you may not see the attacker’s ultimate target at the perimeter if the route stays internal NVD CVE-2021-39935. That asymmetry means network allowlists and egress policies around the GitLab host materially affect both impact and detectability NVD CVE-2021-39935.

Defense

• Patch/mitigate now in line with the KEV mandate: apply vendor fixes or discontinue use if mitigations are unavailable, per BOD 22-01; agencies have until 2026-02-24 for remediation of this entry CISA KEV.
• Reduce exposure: if CI Lint functionality is internet-reachable, require authentication or restrict access to trusted networks to raise the bar for unauthenticated abuse of the SSRF path CISA KEV.
• Contain blast radius: enforce strict egress controls from the GitLab host so server-initiated requests cannot freely reach arbitrary external destinations, a direct mitigation for SSRF impact NVD CVE-2021-39935.
• Monitor for SSRF indicators: correlate spikes in CI Lint API usage with new or unusual outbound connections originating from the GitLab server to detect coercion patterns typical of SSRF MITRE CVE, NVD CVE-2021-39935.
• Prioritize internet-exposed instances: KEV status indicates active exploitation; inventory and triage GitLab nodes with external reachability first CISA KEV.

Lyrie Verdict

This is an attacker-friendly primitive: unauthenticated input drives server egress through a CI API, perfect for automation loops and machine-speed reconnaissance CISA KEV. Lyrie’s autonomous detectors treat SSRF like a correlation problem: bind inbound CI Lint invocations to immediate, non-baseline egress from the GitLab process, and cut dwell time by flagging the coupled pattern in seconds rather than waiting for human triage NVD CVE-2021-39935. Against rogue-AI operators iterating through target lists, we run at machine speed—auto-mapping the behavioral chain unique to this CVE (unauth CI Lint call → forced outbound request) and enforcing pre-emptive containment on the GitLab host’s egress to break the loop before lateral effects materialize MITRE CVE.