CVE-2021-22210

MEDIUM

GitLab 13.2.0-13.9.7 - Allocation of Resources Without Limits or Throttling via API Branch Query

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-22210. PoCs published by Jeromeyoung.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2021-22205, an unauthorized file upload vulnerability in GitLab. The exploit crafts a malicious DJVU file with embedded commands to achieve remote code execution (RCE) via file upload.

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2. When querying the repository branches through API, GitLab was ignoring a query parameter and returning a considerable amount of results.

Exploits (1)

nomisec WORKING POC

by Jeromeyoung · poc

https://github.com/Jeromeyoung/CVE-2021-22210

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-22205, an unauthorized file upload vulnerability in GitLab. The exploit crafts a malicious DJVU file with embedded commands to achieve remote code execution (RCE) via file upload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: GitLab (versions affected by CVE-2021-22205)

No auth needed

Prerequisites: Target GitLab instance with vulnerable version · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1204 - User Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Broken Link x_refsource_misc

https://gitlab.com/gitlab-org/gitlab/-/issues/322500

Vendor Advisory x_refsource_confirm

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22210.json

Scores

CVSS v3 5.3

EPSS 0.0115

EPSS Percentile 62.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Details

CWE

CWE-770

Status published

Products (1)

gitlab/gitlab 13.2.0 - 13.9.7 (2 CPE variants)

Published May 06, 2021

Tracked Since Feb 18, 2026