CVE-2021-22175 GitLab CVE debrief

Who should care

GitLab administrators, security operations teams, vulnerability management owners, and cloud service operators running GitLab instances should pay attention to this CVE because it is listed in CISA’s KEV catalog.

Technical summary

The available official source data identifies CVE-2021-22175 as a GitLab server-side request forgery (SSRF) vulnerability. CISA classifies it as a known exploited vulnerability and provides a remediation deadline in the KEV entry. The provided corpus does not include affected version details or a deeper technical write-up, so no further technical claims should be made beyond the official classification and KEV status.

Defensive priority

High. CISA has placed this CVE in the Known Exploited Vulnerabilities catalog, which elevates it above routine backlog items and makes timely mitigation important.

Recommended defensive actions

• Apply vendor-provided mitigations per official GitLab instructions as soon as possible.
• Follow CISA BOD 22-01 guidance for cloud services where applicable.
• If mitigations are unavailable, discontinue use of the product or service as directed by CISA guidance.
• Review your GitLab deployment inventory and prioritize externally reachable instances.
• Validate that remediation is completed before the CISA KEV due date in the official entry.

Evidence notes

CISA’s KEV feed lists CVE-2021-22175 as 'GitLab Server-Side Request Forgery (SSRF) Vulnerability' with vendorProject 'GitLab', dateAdded 2026-02-18, and dueDate 2026-03-11. The official CVE and NVD records are linked in the supplied corpus, but the corpus does not include detailed affected-version or exploit-scenario information.

Official resources