CVE-2019-5464
Description
A flawed DNS rebinding protection issue was discovered in GitLab CE/EE 10.2 and later in the url_blocker.rb which could result in SSRF where the library is utilized.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A DNS rebinding protection flaw in GitLab's url_blocker.rb allows SSRF to internal networks from version 10.2.
Vulnerability
A flawed DNS rebinding protection mechanism exists in GitLab CE/EE starting from version 10.2 in the url_blocker.rb file [1]. The validate function performs a DNS lookup to check if a domain's IP address belongs to the local network and applies protection only if resolution succeeds. If domain resolution fails (e.g., the domain does not resolve at the time of validation), the DNS rebinding protection is bypassed, allowing SSRF via webhooks or other features that use the library.
Exploitation
An attacker can exploit this by setting up a controlled DNS server that initially returns a non-resolving domain, then after a timeout (10–15 seconds to bypass DNS caching) changes the response to point to an internal IP, such as 169.254.169.254 (cloud metadata). The attacker creates a webhook for a repository using a domain like http://990.hacker1.xyz [1]. After waiting, testing the webhook causes GitLab to send an HTTP request to the internal IP, fetching and returning the response [1].
Impact
Successful exploitation leads to Server-Side Request Forgery (SSRF), allowing the attacker to read responses from internal services reachable by the GitLab server. This could expose sensitive information like cloud metadata, internal application endpoints, or other network-accessible resources.
Mitigation
GitLab addressed this vulnerability in version 12.1.2, released on July 29, 2019 [2]. All users running versions 10.2 through 12.1.1 should upgrade to 12.1.2 or later. No workarounds are available; upgrading is the only mitigation.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2>=10.2, <12.1.2+ 1 more
- (no CPE)range: >=10.2, <12.1.2
- (no CPE)range: Affects GitLab CE/EE 10.2 and later
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Flawed DNS rebinding protection in the `validate` function of `url_blocker.rb` fails to apply when domain resolution encounters an error, allowing an attacker to bypass the IP check."
Attack vector
An attacker registers a domain (e.g., `990.hacker1.xyz`) whose DNS initially resolves to a non-local IP, passing GitLab's `validate` check. After the check passes, the attacker changes the DNS record to point to an internal IP (e.g., `169.254.169.254` or `127.0.0.1`). When GitLab later sends the HTTP request (e.g., via a webhook), the domain resolves to the internal address, achieving SSRF. The flaw is that if `validate` encounters a DNS resolution error, the rebinding protection is skipped entirely [ref_id=1].
Affected code
The vulnerable code is in `lib/gitlab/url_blocker.rb` at line 59, specifically the `validate` function [ref_id=1]. This function performs a DNS lookup to check whether a domain's IP belongs to the local network, but fails to apply DNS rebinding protection when domain resolution encounters an error [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] identifies the vulnerable code path at `lib/gitlab/url_blocker.rb` line 59, where the `validate` function performs a DNS lookup to check whether an IP belongs to the local network. The advisory states that when `validate` encounters an error resolving the domain, "the DNS rebinding protection is not applied" [ref_id=1]. The expected remediation would ensure that DNS rebinding protection is enforced even when domain resolution fails, preventing the bypass.
Preconditions
- networkAttacker must control a DNS server that can switch a domain's resolution from a non-local IP to an internal IP (DNS rebinding).
- configGitLab instance must have webhooks enabled and allow outgoing HTTP requests to user-supplied URLs.
- authNo authentication required beyond having access to create or modify a webhook on a repository.
Reproduction
1. Create a webhook for a repository on GitLab.com using the URL `http://990.hacker1.xyz` (may return an error initially). 2. Wait about 10 seconds. 3. Test the webhook by clicking "Test" and "Push events". 4. After the hook executes, the content of `http://169.254.169.254` is returned. Wait about 15 seconds between testing attempts due to DNS caching [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/mitrex_refsource_MISC
- gitlab.com/gitlab-org/gitlab-ce/issues/63959mitrex_refsource_MISC
- hackerone.com/reports/632101mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.