CVE-2022-2251 in Runner
Summary
by MITRE • 01/18/2023
Improper sanitization of branch names in GitLab Runner affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user who creates a branch with a specially crafted name and gets another user to trigger a pipeline to execute commands in the runner as that other user.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/24/2026
This vulnerability in GitLab Runner represents a critical command injection flaw that exploits improper sanitization of branch names during pipeline execution. The issue stems from the runner's failure to adequately validate and sanitize user-provided branch names, creating a pathway for malicious command execution. Attackers can craft specially formatted branch names that, when processed by the runner, inadvertently execute arbitrary commands with the privileges of the user who triggers the pipeline. This vulnerability specifically affects versions prior to 15.3.5, 15.4.4, and 15.5.2, indicating a widespread impact across multiple release lines of the GitLab Runner software.
The technical flaw manifests when GitLab Runner processes branch names that contain shell metacharacters or command injection sequences. When a user creates a branch with a maliciously crafted name and another user triggers a pipeline on that branch, the runner's inadequate input validation allows the injected commands to execute within the runner's execution environment. This creates a privilege escalation scenario where the attacker can execute commands as the victim user, potentially gaining access to sensitive data, system resources, or network access. The vulnerability operates at the intersection of input validation failure and command execution, making it particularly dangerous in collaborative environments where multiple users interact with shared repositories.
The operational impact of this vulnerability extends beyond simple command execution, as it can lead to complete system compromise when combined with other attack vectors. An attacker could leverage this vulnerability to escalate privileges, access confidential repository data, or even pivot to other systems within the network. The attack requires minimal prerequisites - simply creating a malicious branch and convincing another user to trigger a pipeline - making it particularly effective in environments where users trust each other and frequently trigger automated workflows. This vulnerability directly maps to CWE-78, which describes improper neutralization of special elements used in OS commands, and aligns with ATT&CK technique T1059.001 for command and script injection.
Organizations should immediately upgrade to patched versions of GitLab Runner to address this vulnerability. The recommended mitigation strategy involves implementing comprehensive input validation for all user-provided branch names and ensuring that the runner environment properly sanitizes all inputs before processing. Additional protective measures include restricting branch creation privileges, implementing pipeline security scanning, and monitoring for suspicious branch naming patterns. Security teams should also consider implementing network segmentation and access controls to limit the potential damage from successful exploitation. The vulnerability highlights the critical importance of input sanitization in CI/CD environments where automated processes execute with elevated privileges and access to sensitive systems and data.