CVE-2021-22241
Description
An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0. It was possible to exploit a stored cross-site-scripting via a specifically crafted default branch name.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in GitLab CE/EE 14.0+ via crafted default branch name allows arbitrary JS execution on project pages.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in GitLab Community Edition (CE) and Enterprise Edition (EE) versions starting from 14.0. The issue is located in the group settings page, where the "Default initial branch name" field does not properly sanitize user input. When a project without an initial repository is created in the affected group, an information page is displayed that includes two unsanitized references to the default branch name, leading to the injection of arbitrary JavaScript. Affected versions: GitLab CE/EE >= 14.0. [1]
Exploitation
To exploit this vulnerability, an attacker must have at least Developer role in a group (or be an administrator) to change the "Default initial branch name" setting. The attacker sets the default branch name to a malicious JavaScript payload. When any user (including developers or administrators) visits the main page of a project created in that group (which lacks a repository), the information page renders the payload, executing the script. On a self-hosted GitLab instance without Content Security Policy (CSP), the attacker can execute arbitrary JavaScript, including loading external scripts. On GitLab.com, CSP restrictions may limit the attack, but the attacker can still modify the base-uri to cause link hijacking. [1]
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to theft of personal access tokens, session hijacking, and complete account compromise. If the victim is an administrator, the attacker gains full control over the GitLab instance. The impact includes confidentiality, integrity, and availability breaches. [1]
Mitigation
GitLab has addressed this issue in version 14.0.2. Users should upgrade to the latest fixed version immediately. No workarounds are available. Self-hosted instances can also enforce a strong Content Security Policy (CSP) to mitigate the risk of external script execution, though this does not fully prevent the vulnerability. [1]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=14.0
- Range: >=14.1, <14.1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output sanitization of the group's "Default initial branch name" when it is displayed on the project information page allows stored cross-site scripting."
Attack vector
An attacker who can change a group's "Default initial branch name" (requires at least Developer role in the group or instance administrator privileges) sets the value to a JavaScript payload such as `
Affected code
The vulnerability exists in the group settings page for "Default initial branch name" under `/groups/group_name/-/settings/repository`. When a project without an initial repository is created in that group, the information page displayed to developers includes two unsanitized inclusions of the default branch name [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the expected fix is to sanitize the default branch name input on save and to sanitize the branch name when it is displayed on the project information page [ref_id=1]. The researcher recommends checking for bad input at the point of entry and applying output encoding when the value is rendered to users.
Preconditions
- authAttacker must be able to modify the group's 'Default initial branch name' setting (requires at least Developer role in the group or instance administrator privileges).
- inputA project without an initial repository must be created in the affected group.
- networkThe victim must access the project's main page (the information page shown when no repository exists).
Reproduction
1. Create two users, `attacker01` and `victim01`. 2. Log in as `attacker01`. 3. Create a group `attack_group`. 4. Go to the group's repository settings page and expand "Default initial branch name". 5. Enter `
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22241.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/336460mitrex_refsource_MISC
- hackerone.com/reports/1256777mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.