CVE-2021-22224 – This CSRF vulnerability in GitLab's GraphQL API... (How to Fix)

Q: What is the severity of CVE-2021-22224?

CVE-2021-22224 has a CVSS score of 7.1 (HIGH). This CSRF vulnerability in GitLab's GraphQL API allows attackers to execute mutations as authenticated users without their consent. It affects GitLab instances running versions 13.12 through 13.12.5 and 14.0 through 14.0.1. Attackers can perform actions on behalf of victims who visit malicious websites while authenticated to GitLab.

📋 TL;DR

This CSRF vulnerability in GitLab's GraphQL API allows attackers to execute mutations as authenticated users without their consent. It affects GitLab instances running versions 13.12 through 13.12.5 and 14.0 through 14.0.1. Attackers can perform actions on behalf of victims who visit malicious websites while authenticated to GitLab.

💻 Affected Systems

Products:

GitLab Community Edition
GitLab Enterprise Edition

Versions: 13.12.0 to 13.12.5, 14.0.0 to 14.0.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all GitLab deployments with GraphQL API enabled (default). Requires user authentication for exploitation.

📦 What is this software?

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, data exfiltration, repository manipulation, or privilege escalation through GraphQL mutations executed as the victim.

🟠

Likely Case

Unauthorized modifications to repositories, issues, merge requests, or user settings through GraphQL mutations.

🟢

If Mitigated

Limited impact with proper CSRF protections, same-site cookies, and GraphQL mutation validation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires victim to be authenticated and visit malicious site. GraphQL mutations can be triggered via crafted web pages.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 13.12.6, 14.0.2, or later

Vendor Advisory: https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22224.json

Restart Required: Yes

Instructions:

1. Backup GitLab instance. 2. Update to GitLab 13.12.6+ or 14.0.2+ using package manager. 3. Run 'gitlab-ctl reconfigure'. 4. Restart GitLab services.

🔧 Temporary Workarounds

CSRF Token Enforcement

linux

Enable strict CSRF token validation for GraphQL API endpoints

Edit /etc/gitlab/gitlab.rb: gitlab_rails['graphql_csrf_protection'] = true
Run: gitlab-ctl reconfigure

🧯 If You Can't Patch

Implement strict SameSite cookie policies and CSRF protection headers
Restrict GraphQL API access through network controls or WAF rules

🔍 How to Verify

Check if Vulnerable:

Check GitLab version: cat /opt/gitlab/version-manifest.txt | grep gitlab-ce or gitlab-rake gitlab:env:info

Check Version:

sudo gitlab-rake gitlab:env:info | grep Version

Verify Fix Applied:

Confirm version is 13.12.6+ or 14.0.2+ and test CSRF protection on GraphQL endpoints

📡 Detection & Monitoring

Log Indicators:

GraphQL mutation requests without CSRF tokens
Unusual mutation patterns from single IPs

Network Indicators:

POST requests to /api/graphql without referrer validation
Cross-origin requests to GraphQL endpoints

SIEM Query:

source="gitlab" AND (uri_path="/api/graphql") AND (http_method="POST") AND NOT (csrf_token=*)

📊 Metadata

CVE ID: CVE-2021-22224

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

CWE: CWE-352

Published: July 7, 2021

Last Updated: November 21, 2024

🔗 References

https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22224.json Third Party Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/324397 Broken Link
https://hackerone.com/reports/1122408 Permissions Required
https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22224.json Third Party Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/324397 Broken Link
https://hackerone.com/reports/1122408 Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22224, you might also want to check these: