CVE-2021-22205: How to determine if a self-managed instance has been impacted

Any user running a vulnerable version of GitLab should upgrade to a patched version as soon as possible, preferably the latest version of GitLab.

If upgrading immediately is not an option:

Mitigations & Workarounds


Anyone running a vulnerable, public-facing GitLab self-managed instance unable to immediately upgrade to a patched version can apply a patch as a temporary hotfix. Applying this patch will change the relevant code to prevent further exploitation of the vulnerability.

The commands to do on a GitLab Omnibus Linux installation are:

sudo su
cd ~
curl -JLO
cd /opt/gitlab/embedded/lib/exiftool-perl
patch -p2 < ~/allow-only-tiff-jpeg-exif-strip.patch

If you’re running a vulnerable version, can’t upgrade immediately, and you can’t apply the hotpatch for whatever reason, you can:

Replace exiftool script with cat -

This workaround will prevent all stripping of exif data from uploaded images.

Replace /opt/gitlab/embedded/bin/exiftool with a file containing this content:


cat -

If needed, chmod a+x exiftool to ensure it’s executable.


These workarounds are applicable only on Rails / Workhorse nodes (anything with HTTP GitLab components exposed).

To remain patched against exploitation of this vulnerability while running vulnerable versions of GitLab SM accessible via the public internet:

  • You MUST perform the workaround every time GitLab is updated or reinstalled, until reaching version 13.10.3+ (for Linux package or source installation)
  • You must perform the workaround every time you update or deploy a fresh container. (for Docker / Kubernetes deployments)