CVE-2021-22204

MEDIUM KEV LAB

GitLab Unauthenticated Remote ExifTool Command Injection

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2021-22204 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 17, 2021. EIP tracks 21 public exploits from researchers including UNICORD, convisolabs, UNICORDev, including a Metasploit module exploits/multi/http/gitlab_exif_rce.

AI-analyzed exploit summary This exploit leverages CVE-2021-22204 in ExifTool to achieve arbitrary code execution by embedding a malicious DjVu file within a JPEG image. The payload is executed when ExifTool parses the crafted image.

Description

Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image

Exploits (21)

exploitdb WORKING POC
by UNICORD · pythonlocallinux
https://www.exploit-db.com/exploits/50911

This exploit leverages CVE-2021-22204 in ExifTool to achieve arbitrary code execution by embedding a malicious DjVu file within a JPEG image. The payload is executed when ExifTool parses the crafted image.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ExifTool versions 7.44-12.23
No auth needed
Prerequisites: ExifTool installed on the target system · Ability to deliver the crafted image to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 94 stars
by convisolabs · client-side
https://github.com/convisolabs/CVE-2021-22204-exiftool

This repository contains a functional Python exploit for CVE-2021-22204, which leverages a command injection vulnerability in ExifTool via maliciously crafted metadata in an image file. The exploit generates a malicious image that, when processed by a vulnerable ExifTool instance, executes a reverse shell payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ExifTool (versions prior to the patch for CVE-2021-22204)
No auth needed
Prerequisites: ExifTool installed on the target system · Ability to deliver the malicious image to the target · Network connectivity for reverse shell callback
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 50 stars
by UNICORDev · local
https://github.com/UNICORDev/exploit-CVE-2021-22204

This repository contains a functional exploit for CVE-2021-22204, which targets ExifTool versions 7.44 to 12.23. The exploit generates a malicious JPEG image with embedded DjVu metadata to achieve arbitrary code execution when parsed by a vulnerable ExifTool instance.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ExifTool 7.44-12.23
No auth needed
Prerequisites: Python3 · djvulibre-bin · ExifTool
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 28 stars
by AssassinUKG · poc
https://github.com/AssassinUKG/CVE-2021-22204

This repository contains a functional exploit for CVE-2021-22204, which leverages improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up to achieve arbitrary code execution. The script generates a malicious DjVu file embedded within a JPEG, which executes Perl code when parsed by a vulnerable ExifTool instance.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ExifTool versions 7.44 and up
No auth needed
Prerequisites: djvulibre-bin installed · vulnerable ExifTool version
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 12 stars
by se162xg · client-side
https://github.com/se162xg/CVE-2021-22204

This repository contains a functional exploit for CVE-2021-22204, a vulnerability in ExifTool. The script crafts a malicious DjVu file that, when processed by ExifTool, executes arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ExifTool versions 7.44 to 12.23
No auth needed
Prerequisites: ExifTool installed on the target system · Ability to deliver the crafted DjVu file to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 8 stars
by bilkoh · client-side
https://github.com/bilkoh/POC-CVE-2021-22204

This repository contains a functional Perl script that generates a malicious DjVu image file exploiting CVE-2021-22204 in ExifTool. The script injects arbitrary commands into the image metadata, which are executed when processed by a vulnerable ExifTool instance.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ExifTool (versions before 12.24)
No auth needed
Prerequisites: DjVuLibre installed and in PATH · Vulnerable ExifTool version
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 4 stars
by Akash7350 · client-side
https://github.com/Akash7350/CVE-2021-22204

This repository contains a functional exploit for CVE-2021-22204, which targets ExifTool to achieve arbitrary code execution via a crafted JPEG image payload. The exploit generates a malicious image that, when processed by a vulnerable ExifTool version, executes a provided command or reverse shell.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ExifTool (versions prior to 12.24)
No auth needed
Prerequisites: Vulnerable ExifTool installation · Ability to deliver crafted JPEG image to target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP 3 stars
by trganda · poc
https://github.com/trganda/CVE-2021-22204

This repository provides a detailed technical analysis of CVE-2021-22204, an ExifTool remote code execution vulnerability. It includes a step-by-step breakdown of the exploit process, Perl code analysis, and explanations of the DjVu file format manipulation required to trigger the vulnerability.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ExifTool < 12.24
No auth needed
Prerequisites: ExifTool version < 12.24 · Ability to upload a malicious DjVu file
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 3 stars
by PenTestical · poc
https://github.com/PenTestical/CVE-2021-22204

This repository contains a functional exploit for CVE-2021-22204, a remote code execution vulnerability in ExifTool. The exploit creates a malicious DJVU file that, when processed by ExifTool, executes a reverse shell to an attacker-controlled IP.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ExifTool (versions prior to 12.24)
No auth needed
Prerequisites: ExifTool installed on the target system · ExifTool executed with sufficient privileges (e.g., sudo) · Attacker-controlled IP for reverse shell
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by ph-arm · remote-auth
https://github.com/ph-arm/CVE-2021-22204-Gitlab

This repository contains a functional exploit for CVE-2021-22204, leveraging a vulnerability in ExifTool's DjVu module to achieve remote code execution (RCE) on GitLab instances prior to version 13.10.3. The exploit crafts a malicious JPEG file using djvumake and uploads it to trigger command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GitLab < 13.10.3
Auth required
Prerequisites: djvulibre-bin installed on attacker's machine · valid GitLab credentials · ability to upload files to GitLab
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by d4ytox · poc
https://github.com/d4ytox/CVE-2021-22204

This repository contains a functional exploit for CVE-2021-22204, an arbitrary code execution vulnerability in ExifTool versions 7.44 through 12.23. The exploit generates a malicious DjVu file that, when processed by a vulnerable ExifTool instance, executes attacker-controlled Perl code.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ExifTool 7.44-12.23
No auth needed
Prerequisites: djvulibre-bin package · vulnerable ExifTool version on target
devstral-2 · analyzed Jun 13, 2026 Full analysis →
nomisec WORKING POC
by TeddyEngel · remote
https://github.com/TeddyEngel/CVE-2021-22204

This repository contains a functional exploit for CVE-2021-22204, an arbitrary code execution vulnerability in ExifTool versions 7.44 to 12.23. The exploit generates a malicious DjVu file that, when processed by a vulnerable ExifTool version, executes attacker-controlled code via a Perl payload embedded in the file's metadata.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ExifTool 7.44 - 12.23
No auth needed
Prerequisites: djvulibre-bin package installed
devstral-2 · analyzed May 19, 2026 Full analysis →
nomisec WORKING POC
by Roronoawjd · local
https://github.com/Roronoawjd/CVE-2021-22204

This repository contains a functional exploit for CVE-2021-22204, an arbitrary command execution vulnerability in ExifTool. The exploit generates a malicious image file that, when processed by ExifTool, executes a reverse shell payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ExifTool (versions prior to 12.23)
No auth needed
Prerequisites: Docker environment · ExifTool installed on target system
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by cc3305 · client-side
https://github.com/cc3305/CVE-2021-22204

This repository contains a functional exploit for CVE-2021-22204, which leverages improper sanitization in ExifTool to achieve arbitrary code execution via a malicious DjVu file embedded in an image. The script automates the creation of a malicious image file that triggers the vulnerability when processed by ExifTool.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ExifTool versions 7.44 to 12.23
No auth needed
Prerequisites: djvulibre-bin · exiftool · bzz · djvumake
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by battleofthebots · client-side
https://github.com/battleofthebots/dejavu

This repository contains a functional exploit for CVE-2021-22204, which leverages an unsafe eval in ExifTool's DjVu module to achieve remote code execution. The exploit involves hosting a malicious image file and tricking the vulnerable application into processing it, leading to arbitrary command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ExifTool (versions with vulnerable DjVu module)
No auth needed
Prerequisites: Vulnerable ExifTool version · Ability to host a malicious image file · Network access to the target application
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by Asaad27 · poc
https://github.com/Asaad27/CVE-2021-22204-RSE

This repository contains a functional exploit for CVE-2021-22204, leveraging a vulnerability in ExifTool to execute arbitrary code via crafted DjVu files. The Dockerfile automates the setup of the environment and generates malicious DjVu files with embedded payloads.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ExifTool (libimage-exiftool-perl)
No auth needed
Prerequisites: Docker environment · ExifTool installed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by William Bowling, jbaines-r7 · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/gitlab_exif_rce.rb

This Metasploit module exploits an unauthenticated file upload and command injection vulnerability in GitLab (CVE-2021-22204) by leveraging a malicious JPEG file with embedded ExifTool commands. It achieves remote code execution as the 'git' user on vulnerable GitLab instances.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GitLab Community Edition (CE) and Enterprise Edition (EE) versions before 13.10.3, 13.9.6, and 13.8.8
No auth needed
Prerequisites: Network access to the GitLab instance · ExifTool vulnerability (CVE-2021-22204) present in the target environment
devstral-2 · analyzed Apr 30, 2026 Full analysis →
vulncheck_xdb WORKING POC
local
https://github.com/BBurgarella/An-Ethical-Hacking-Journey

The repository contains a Python script designed to embed reverse shell payloads into images, exploiting text recognition vulnerabilities. It includes functionality to generate images with payloads and supports base64 encoding, font customization, and fuzzing for OCR evasion.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Systems vulnerable to text recognition exploits (e.g., OCR-based applications)
No auth needed
Prerequisites: Listener IP and port · Payload text file · Target system with vulnerable text recognition
devstral-2 · analyzed Feb 25, 2026 Full analysis →
vulncheck_xdb WORKING POC
local
https://github.com/mr-tuhin/CVE-2021-22204-exiftool

This repository contains a functional Python exploit for CVE-2021-22204, a vulnerability in ExifTool. The exploit generates a malicious image file (image.jpg) that triggers arbitrary code execution when processed by a vulnerable version of ExifTool.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ExifTool (versions prior to 12.30)
No auth needed
Prerequisites: Python 3 · djvulibre-bin · ExifTool (vulnerable version) · network connectivity for reverse shell
devstral-2 · analyzed Feb 25, 2026 Full analysis →
vulncheck_xdb WORKING POC
client-side
https://github.com/0xBruno/CVE-2021-22204

This repository contains a functional exploit for CVE-2021-22204, an RCE vulnerability in ExifTool. The exploit crafts a malicious DjVu file with embedded Perl code to achieve remote command execution when processed by a vulnerable ExifTool instance.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ExifTool (versions prior to 12.30)
No auth needed
Prerequisites: vulnerable ExifTool installation · ability to pass a malicious file to the target
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by William Bowling, Justin Steven · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/fileformat/exiftool_djvu_ant_perl_injection.rb

This Metasploit module exploits a Perl injection vulnerability in ExifTool (CVE-2021-22204) by embedding malicious DjVu ANT metadata in image files (JPEG, TIFF, or DjVu). The payload executes arbitrary commands via Perl backticks when the file is processed by ExifTool.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ExifTool versions 7.44 through 12.23
No auth needed
Prerequisites: ExifTool installed on target system · Ability to deliver crafted image file to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (15)

Core 15
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1154542
Mailing List, Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2021/dsa-4910
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/05/09/1
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/05/10/5
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/162558/ExifTool-DjVu-ANT-Perl-Injection.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/05/msg00018.html
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/164994/GitLab-13.10.2-Remote-Code-Execution.html
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/167038/ExifTool-12.23-Arbitrary-Code-Execution.html

Scores

CVSS v3 6.8
EPSS 0.9278
EPSS Percentile 99.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact partial

Lab Environment

COMMUNITY
Community Lab
+16 more repos

Details

CISA KEV 2021-11-17
VulnCheck KEV 2021-09-30
InTheWild.io 2021-11-17
ENISA EUVD EUVD-2021-9350
CWE
CWE-94
Status published
Products (6)
debian/debian_linux 9.0
debian/debian_linux 10.0
exiftool_project/exiftool 7.44 - 12.24
fedoraproject/fedora 32
fedoraproject/fedora 33
fedoraproject/fedora 34
Published Apr 23, 2021
KEV Added Nov 17, 2021
Tracked Since Feb 18, 2026