CVE-2021-22231
Description
A denial of service in user's profile page is found starting with GitLab CE/EE 8.0 that allows attacker to reject access to their profile page via using a specially crafted username.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A denial-of-service vulnerability in GitLab CE/EE 8.0+ allows an attacker to make their profile page inaccessible by registering a username ending with .html, causing the profile to redirect to a different page.
Vulnerability
The vulnerability exists in GitLab CE/EE starting from version 8.0. When a user registers with a username that ends with .html (e.g., dashboard.html), the profile page URL for that user is mishandled by the routing mechanism. Instead of displaying the user's profile, the request is interpreted as a request for a static HTML page, causing a redirect to the corresponding page (e.g., the dashboard). This affects all versions from 8.0 up to the fix [1].
Exploitation
An attacker can register a new user with a username that matches an existing HTML page in GitLab, such as dashboard.html or profile.html. After logging in, clicking on the profile tab redirects to the dashboard page instead of the user's profile. The attacker does not need any special privileges; any user can register with such a username. The attack requires no user interaction beyond the attacker's own registration [1].
Impact
The attacker can deny access to their own profile page for themselves and other users. This can be used to hide the attacker's identity or prevent others from viewing their profile. The impact is limited to denial of service; no data disclosure, privilege escalation, or code execution is possible [1].
Mitigation
The issue was fixed in GitLab versions 13.11.6, 13.12.6, and 14.0.2. Users should upgrade to these or later versions. No workaround is available for affected versions. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=8.0
- Range: >=8.0, <13.11.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The URL router does not differentiate between a username ending in ".html" and a request for a static HTML page, causing profile URLs to be resolved to built-in pages instead."
Attack vector
An attacker registers a new user account with a username that matches the name of an existing HTML page in GitLab, such as "dashboard.html" or "profile.html". When any visitor (including the attacker themselves) navigates to the user's profile URL, the application serves the built-in HTML page (e.g., the dashboard) instead of the user's profile page, effectively denying access to the profile [ref_id=1]. The attacker needs only the ability to register an account with a crafted username; no special privileges are required.
Affected code
The vulnerability affects the user profile page routing in GitLab CE/EE starting from version 8.0. The issue is in how the application resolves URLs when a username ends with ".html" — the router treats the request as a static HTML page rather than a user profile path [ref_id=1].
What the fix does
The advisory does not include a published patch diff. The recommended remediation is to ensure that usernames ending with ".html" are either rejected during registration or that the routing logic distinguishes user profile paths from static page paths so that a username like "dashboard.html" does not shadow the actual dashboard route [ref_id=1].
Preconditions
- authAttacker must be able to register a new user account on the GitLab instance.
- inputThe chosen username must match a built-in HTML page name (e.g., 'dashboard', 'profile').
Reproduction
1. Register a new user with a username such as "dashboard.html" or "profile.html". 2. Log in as that user and click on the profile tab. 3. Observe that the browser is redirected to the dashboard page (or the matching HTML page) instead of the user's profile page [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22231.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/26295mitrex_refsource_MISC
- hackerone.com/reports/475098mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.