CVE-2021-22192

CRITICAL LAB

GitLab CE/EE <13.2 - Authenticated RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2021-22192. PoCs published by EXP-Docs, PetrusViet.

AI-analyzed exploit summary This repository provides a functional exploit for CVE-2021-22192, an unauthenticated RCE vulnerability in GitLab EE 13.2.0. It includes a Docker-based test environment, a step-by-step exploitation guide, and a payload delivery mechanism via GitLab's wiki markup rendering feature.

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 allowing unauthorized authenticated users to execute arbitrary code on the server.

Exploits (3)

nomisec WORKING POC 36 stars
by EXP-Docs · poc
https://github.com/EXP-Docs/CVE-2021-22192

This repository provides a functional exploit for CVE-2021-22192, an unauthenticated RCE vulnerability in GitLab EE 13.2.0. It includes a Docker-based test environment, a step-by-step exploitation guide, and a payload delivery mechanism via GitLab's wiki markup rendering feature.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GitLab EE 13.2.0
No auth needed
Prerequisites: Docker and Docker Compose installed · Port 80 available · GitLab EE 13.2.0 environment
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP 13 stars
by PetrusViet · poc
https://github.com/PetrusViet/Gitlab-RCE

This is a detailed technical analysis of CVE-2021-22192, focusing on the vulnerability in GitLab's use of the kramdown gem. It explains the root cause, patch analysis, and exploitation attempts, including the use of the Rouge formatter and potential RCE via the Hoosegow class.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: GitLab Community Edition (CE) and Enterprise Edition (EE) versions (>=13.2, <13.7.9), (>=13.8, <13.8.6), and (>=13.9, <13.9.4)
No auth needed
Prerequisites: Vulnerable version of GitLab or kramdown gem · Ability to submit crafted input to the kramdown parser
devstral-2 · analyzed Feb 18, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/lyy289065406/cve-2021-22192

This repository provides a functional exploit for CVE-2021-22192, a remote code execution (RCE) vulnerability in GitLab EE 13.2.0. The exploit leverages a path traversal and command injection flaw in the Kramdown parser to execute arbitrary Ruby code.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GitLab EE 13.2.0
No auth needed
Prerequisites: Docker and docker-compose installed · GitLab EE 13.2.0 environment · Ability to upload files and create wiki pages
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (3)

Core 3
Core References
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1125425

Scores

CVSS v3 9.9
EPSS 0.8116
EPSS Percentile 99.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull gitlab/gitlab-ee:13.2.0-ee.0
docker pull gitlab/gitlab-runner:ubuntu-v13.10.0

Details

Status published
Products (1)
gitlab/gitlab 13.2.0 - 13.7.9 (2 CPE variants)
Published Mar 24, 2021
Tracked Since Feb 18, 2026