CVE-2021-22213 in Community Edition
Summary
by MITRE • 06/09/2021
A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/EE since 7.10 allowed an attacker to leak an OAuth access token by getting the victim to visit a malicious page with Safari
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/30/2025
The vulnerability identified as CVE-2021-22213 represents a critical cross-site leak issue within GitLab's OAuth implementation that has persisted across all versions since 7.10. This flaw specifically targets the OAuth authorization flow and exploits a fundamental weakness in how browsers handle redirect URIs, particularly affecting users who access GitLab through Safari. The vulnerability stems from improper validation of redirect URIs during the OAuth authorization process, creating an avenue for attackers to intercept and steal sensitive access tokens through social engineering techniques.
The technical exploitation of this vulnerability relies on Safari's specific behavior regarding cross-origin redirects and how it handles the OAuth authorization code flow. When a victim visits a malicious page that initiates an OAuth request to GitLab, the attacker can manipulate the redirect URI parameter to point to a location under their control. This allows the OAuth access token to be leaked through the Referer header or direct URL parameters when Safari performs the redirect. The flaw is particularly dangerous because it operates at the browser level rather than the application level, making it difficult to detect and prevent through traditional web application security measures.
The operational impact of this vulnerability extends beyond simple credential theft, as OAuth access tokens represent privileged access to GitLab resources and can be used to perform actions on behalf of authenticated users. Attackers could leverage these stolen tokens to access private repositories, modify code, create new users, or escalate privileges within the GitLab environment. The vulnerability's persistence across multiple versions since 7.10 indicates a fundamental design flaw in GitLab's OAuth implementation that required immediate attention from the security community. This issue directly violates security principles outlined in CWE-200, which addresses information exposure through improper access control, and aligns with ATT&CK technique T1566 for credential access through social engineering.
Organizations using GitLab CE/EE versions from 7.10 onwards must implement immediate mitigations to address this vulnerability, including updating to patched versions that properly validate redirect URIs and implement proper OAuth flow security measures. Additional protective measures should include monitoring for suspicious redirect patterns, implementing Content Security Policy headers, and educating users about the risks of visiting untrusted websites. The vulnerability demonstrates the critical importance of proper OAuth implementation and highlights how browser-specific behaviors can create unexpected security weaknesses in web applications. Security teams should also consider implementing additional monitoring for OAuth-related activities and establishing incident response procedures for token compromise scenarios.