CVE-2021-39935

GitLab SSRF via Import Feature (CVE-2021-39935)

Reconnaissance Discovery Lateral Movement Last updated:

CVE-2021-39935 is a Server-Side Request Forgery (SSRF) vulnerability in GitLab Community and Enterprise Editions. An attacker can abuse GitLab's project import or integration features to cause the server to issue arbitrary HTTP requests to internal network resources, enabling reconnaissance, metadata service access, and potential lateral movement within cloud-hosted or on-premises GitLab deployments. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
GitLab
Product
Community and Enterprise Editions

Weakness (CWE)

CWE-918

Timeline

Disclosed
February 3, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2021-39935 GitLab SSRF via Import Feature (CVE-2021-39935)?

GitLab SSRF via Import Feature (CVE-2021-39935) (CVE-2021-39935) maps to the Reconnaissance and Discovery and Lateral Movement tactics — the adversary is trying to gather information they can use to plan future operations in MITRE ATT&CK.

This page provides production-ready detection logic for GitLab SSRF via Import Feature (CVE-2021-39935), covering the data sources and telemetry it touches: CommonSecurityLog, W3CIISLog, AzureDiagnostics. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Reconnaissance Discovery Lateral Movement
Microsoft Sentinel / Defender
kusto 
union CommonSecurityLog, W3CIISLog
| where TimeGenerated > ago(7d)
| where (RequestURL has_any ("/api/v4/projects", "/import", "/integrations") or csUriStem has_any ("/api/v4/projects", "/import", "/integrations"))
| where (RequestURL matches regex @"(169\.254\.169\.254|metadata\.google\.internal|100\.100\.100\.200|localhost|127\.|10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.)" or csUriQuery matches regex @"(169\.254\.169\.254|metadata\.google\.internal|localhost|127\.|10\.|192\.168\.)")
| project TimeGenerated, DeviceVendor, DeviceProduct, SourceIP, DestinationIP, RequestURL, csUriStem, csUriQuery, RequestMethod, ResponseCode, Activity
| order by TimeGenerated desc

Detects HTTP requests to GitLab import or integration API endpoints referencing internal/cloud metadata IP addresses indicative of SSRF exploitation attempts.

high severity medium confidence

Data Sources

CommonSecurityLog W3CIISLog AzureDiagnostics

Required Tables

CommonSecurityLog W3CIISLog

False Positives

  • Legitimate GitLab integrations that import from internal artifact repositories may trigger this rule
  • Security scanners or vulnerability assessment tools probing GitLab endpoints
  • Misconfigured webhook targets pointing to RFC-1918 addresses for internal CI/CD pipelines

Sigma rule & cross-platform mapping

The detection logic for GitLab SSRF via Import Feature (CVE-2021-39935) (CVE-2021-39935) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2021-39935 Sigma rules on detection.fyi

Platform-specific guides for CVE-2021-39935

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (2)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SSRF via GitLab Project Import URL — Cloud Metadata

    Expected signal: Outbound network connection from GitLab server process to 169.254.169.254:80; HTTP GET request logged in GitLab production.log with import_url parameter containing metadata IP

  2. Test 2SSRF via GitLab Webhook Integration — Internal Host

    Expected signal: Network connection attempt from GitLab process to 192.168.1.1:6379; webhook creation logged in GitLab audit log with attacker-supplied internal URL

  3. Test 3SSRF via GitLab External Issue Tracker Integration — GCP Metadata

    Expected signal: DNS lookup for metadata.google.internal followed by HTTP GET from GitLab server; integration update recorded in GitLab application log

Unlock Pro Content

Get the full detection package for CVE-2021-39935 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0043ReconnaissanceTA0007DiscoveryTA0008Lateral Movement

Related Techniques

T1590Gather Victim Network InformationT1552.005Cloud Instance Metadata APIT1018Remote System Discovery

Same Tactic: Reconnaissance

Popular Detections