Unrated severityNVD Advisory· Published Jan 27, 2023· Updated Mar 28, 2025

CVE-2022-4335

Description

A blind SSRF vulnerability was identified in all versions of GitLab EE prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 which allows an attacker to connect to a local host.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A blind SSRF vulnerability in GitLab EE repository mirroring enables an attacker to probe internal hosts via DNS rebinding.

Vulnerability

A blind server-side request forgery (SSRF) vulnerability exists in GitLab EE repository mirroring functionality. The bug affects all GitLab EE versions prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1. The vulnerability is triggered when a user configures a repository mirror with a URL that resolves to an internal IP address via DNS rebinding, bypassing the localhost restriction [1].

Exploitation

An attacker with the ability to configure repository mirroring (requires at least Maintainer role on a project) can exploit this by setting up a DNS rebinding domain that alternates between an external IP and 127.0.0.1. The attacker then adds the mirror URL in the project settings and repeatedly triggers a refresh of the mirror. After several attempts, the DNS rebinding causes the request to reach the local host, resulting in a blind SSRF where the attacker can observe connection refused errors or other responses, indicating the presence of services on internal ports [1].

Impact

Successful exploitation allows an attacker to perform blind SSRF, enabling them to probe internal hosts and services that are not intended to be accessible from the internet. This can lead to information disclosure about internal network topology and running services. The attack does not provide direct code execution or data exfiltration but can be used as a stepping stone for further attacks [1].

Mitigation

The vulnerability is fixed in GitLab EE versions 15.4.6, 15.5.5, and 15.6.1. Users should upgrade to these or later versions. No workaround is documented; the fix likely involves stricter validation of mirror URLs and DNS resolution. The issue is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [1].

References

Blind SSRF in repository mirroring using DNS rebinding (#353018) · Issues · GitLab.org / GitLab · GitLab

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

GitLab Inc./CE/EEllm-fuzzy
Range: <15.4.6, >=15.5 <15.5.5, >=15.6 <15.6.1
osv-coords
pkg:bitnami/gitlab
Range: < 15.4.6
GitLab Inc./GitLabv5
Range: <15.4.6

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"Insufficient DNS rebinding protection in repository mirroring URL validation allows an attacker to bypass localhost restrictions."

Attack vector

An attacker uses a DNS rebinding service (e.g., `rebinder.html`) that alternates DNS responses between an attacker-controlled IP and `127.0.0.1`. The attacker enters the rebinding URL as the "Git repository URL" in the repository mirroring settings. GitLab's initial validation may pass when the DNS resolves to the attacker's IP, but subsequent requests during mirroring operations resolve to `127.0.0.1`, causing GitLab to connect to localhost services. The attacker repeatedly refreshes the mirror until the DNS rebinding succeeds, and can infer whether a local port is open or closed based on error messages [ref_id=1].

Affected code

The vulnerability exists in GitLab EE's repository mirroring functionality, specifically the "Mirroring repositories" settings page at `/-/settings/repository#js-push-remote-settings`. The code that validates the Git repository URL during mirror setup does not adequately protect against DNS rebinding attacks.

What the fix does

The advisory does not include a published patch diff. The expected remediation, as stated in the issue, is that requests to localhost should be blocked during repository mirroring. The fix would need to ensure that DNS rebinding attacks are mitigated, likely by resolving the hostname both at validation time and at connection time, and rejecting the mirror URL if the resolved IP is a local/private address at either point [ref_id=1].

Preconditions

authAttacker must have access to configure repository mirroring on a GitLab EE project
inputAttacker must control a DNS rebinding domain that alternates between a public IP and 127.0.0.1
configTarget GitLab instance must be GitLab EE (not CE) version prior to 15.4.6, 15.5.5, or 15.6.1

Reproduction

1. Go to a DNS rebinding service (e.g., `https://lock.cmpxchg8b.com/rebinder.html`) and set IP A to any public address and IP B to `127.0.0.1`. 2. Log in to your GitLab EE project and navigate to `/-/settings/repository#js-push-remote-settings`. 3. Under "Mirroring repositories", enter the generated rebinding URL (e.g., `http://ac41fb4e.7f000001.rbndr.us`) as the "Git repository URL". 4. Set mirror direction to "Push". 5. If blocked with "localhost not allowed", retry until the mirror is added. 6. Once added, repeatedly click the refresh icon near the URL; after several attempts, an error message indicating a connection to localhost (refused or succeeded) will appear [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000