CVE-2022-2992

CRITICAL LAB

GitLab GitHub Repo Import Deserialization RCE

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2022-2992. PoCs published by CsEnox, Malwareman007, William Bowling (vakzz), Heyder Andrade <https://infosec.exchange/@heyder>, RedWay Security <https://infosec.exchange/@redway>, including Metasploit module exploits/multi/http/gitlab_github_import_rce_cve_2022_2992.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2022-2992, an authenticated RCE vulnerability in GitLab via GitHub import. The exploit leverages Ruby deserialization gadgets to achieve remote code execution on vulnerable GitLab instances.

Description

A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint.

Exploits (3)

nomisec WORKING POC 225 stars
by CsEnox · poc
https://github.com/CsEnox/CVE-2022-2992

This repository contains a functional exploit for CVE-2022-2992, an authenticated RCE vulnerability in GitLab via GitHub import. The exploit leverages Ruby deserialization gadgets to achieve remote code execution on vulnerable GitLab instances.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GitLab CE/EE (versions 11.10 before 15.1.6, 15.2 before 15.2.4, 15.3 before 15.3.2)
Auth required
Prerequisites: Authenticated GitLab user with API access · Ngrok or similar tunneling service · Ruby and Redis for payload generation · Python3 and Flask for the exploit server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 8 stars
by Malwareman007 · poc
https://github.com/Malwareman007/CVE-2022-2992

This repository contains a functional exploit for CVE-2022-2992, an authenticated RCE vulnerability in GitLab via GitHub import. The exploit leverages Ruby deserialization gadgets to achieve remote code execution on vulnerable GitLab instances.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GitLab CE/EE (versions 11.10 before 15.1.6, 15.2 before 15.2.4, 15.3 before 15.3.2)
Auth required
Prerequisites: Authenticated GitLab user with API access token · Ngrok or similar tunneling service · Ruby and Redis installed · Python3 and Flask
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by William Bowling (vakzz), Heyder Andrade <https://infosec.exchange/@heyder>, RedWay Security <https://infosec.exchange/@redway> · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/gitlab_github_import_rce_cve_2022_2992.rb

This Metasploit module exploits CVE-2022-2992, a deserialization vulnerability in GitLab's GitHub repository import feature. It allows authenticated users to achieve RCE by injecting a malicious Redis serialization payload into the session cache.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GitLab versions 11.10 to 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2
Auth required
Prerequisites: Valid GitLab credentials · Network access to the target GitLab instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 9.9
EPSS 0.8619
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull gitlab/gitlab-ee:15.3.1-ee.0

Details

CWE
CWE-74
Status published
Products (1)
gitlab/gitlab 11.10 - 15.1.6 (2 CPE variants)
Published Oct 17, 2022
Tracked Since Feb 18, 2026