CVE-2021-22204: Exiftool RCE Vulnerability via DjVu Files

CVE-2021-22204 Overview

CVE-2021-22204 is an arbitrary code execution vulnerability in ExifTool, a widely-used Perl library and command-line tool for reading, writing, and editing metadata in image files. The vulnerability exists due to improper neutralization of user data when parsing the DjVu file format. An attacker can craft a malicious image file that, when processed by ExifTool versions 7.44 and later, executes arbitrary code on the target system.

This vulnerability is particularly dangerous because ExifTool is commonly integrated into web applications, content management systems, and file processing pipelines. The flaw was notably exploited in attacks against GitLab instances, where uploaded images are automatically processed by ExifTool for metadata extraction.

Critical Impact
This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog and has been actively exploited in the wild, including in attacks against GitLab servers. The exploit enables remote code execution through a seemingly innocuous image file upload.

Affected Products

ExifTool versions 7.44 and up (prior to the patch)
Debian Linux 9.0 and 10.0
Fedora 32, 33, and 34

Discovery Timeline

April 23, 2021 - CVE-2021-22204 published to NVD
November 3, 2025 - Last updated in NVD database

Technical Details for CVE-2021-22204

Vulnerability Analysis

This vulnerability falls under CWE-94 (Improper Control of Generation of Code, also known as Code Injection). The flaw resides in ExifTool's handling of the DjVu file format, specifically in how ANT (annotation) data is parsed and evaluated.

ExifTool uses Perl's eval function to process certain metadata fields within DjVu files. When a malicious DjVu file contains specially crafted annotation data, the vulnerable parsing logic fails to properly sanitize user-controlled input before passing it to eval. This allows an attacker to inject arbitrary Perl code that executes with the privileges of the user running ExifTool.

The attack requires local access in that a user must open or process a malicious file. However, in many deployment scenarios—such as web applications that automatically extract metadata from uploaded images—the attack effectively becomes remotely exploitable. GitLab's integration of ExifTool for image processing made it a high-profile target for this vulnerability.

Root Cause

The root cause is insufficient input validation and sanitization in the DjVu file format parser. The ExifTool code processes ANT (annotation) chunks from DjVu files and evaluates portions of this data using Perl's eval construct. The parser did not adequately neutralize or escape special characters and code constructs that could be interpreted as executable Perl code.

When parsing DjVu annotation data, the vulnerable code path allows attackers to break out of the expected data context and inject arbitrary Perl statements. Since Perl's eval executes the string as code, any injected commands run with the full privileges of the ExifTool process.

Attack Vector

The attack vector requires a victim to process a malicious DjVu file with ExifTool. In practice, this can occur through multiple scenarios:

Web Application Upload: Applications using ExifTool to extract metadata from user-uploaded images automatically trigger the vulnerability when processing a malicious file
Manual Processing: A user running ExifTool directly on a downloaded or received malicious image
Automated Pipelines: CI/CD systems, backup tools, or media management systems that process images using ExifTool

The malicious payload is embedded within the DjVu file's ANT annotation chunk. When ExifTool parses this data, the injected Perl code executes, enabling the attacker to run system commands, download additional payloads, establish reverse shells, or perform other malicious actions.

For detailed technical analysis of the exploitation mechanism, refer to the HackerOne Report #1154542 and the Packet Storm Perl Injection advisory.

Detection Methods for CVE-2021-22204

Indicators of Compromise

Presence of DjVu files with unusually large or suspicious ANT annotation chunks on systems
Unexpected Perl process execution originating from ExifTool or related image processing services
Network connections or reverse shell activity initiated by processes associated with image metadata extraction
Web server logs showing uploads of .djvu files followed by anomalous system behavior

Detection Strategies

Monitor process execution chains for Perl interpreter spawning from web application contexts or ExifTool processes
Implement file integrity monitoring on ExifTool installations to detect unauthorized modifications
Deploy network detection rules to identify command-and-control traffic patterns following image upload events
Use endpoint detection to flag suspicious system calls originating from metadata extraction tools

Monitoring Recommendations

Enable verbose logging for ExifTool operations and monitor for parsing errors or unusual metadata fields
Configure SIEM rules to correlate image upload events with subsequent suspicious process creation or network activity
Implement application-layer firewall rules to inspect uploaded files for DjVu format with malicious annotation patterns
Review and monitor ExifTool version across all systems using software inventory tools

How to Mitigate CVE-2021-22204

Immediate Actions Required

Update ExifTool to the latest patched version immediately across all systems and applications
Audit all applications and services that integrate ExifTool for metadata extraction
Temporarily disable DjVu file processing if patching cannot be performed immediately
Implement file type validation to restrict uploads to known-safe formats where possible

Patch Information

The ExifTool project has released a security patch to address this vulnerability. The fix modifies how the DjVu parser handles annotation data, preventing code injection through the eval construct.

Review the official patch at the GitHub ExifTool Commit for technical details on the fix.

For Linux distributions:

Debian users should refer to DSA-4910 and the Debian LTS Announcement
Fedora users can obtain patches through the standard package update mechanism via Fedora Package Announcements

Workarounds

Block or quarantine DjVu file uploads at the web application firewall or file upload handler level
Run ExifTool in a sandboxed environment with restricted system access and network connectivity
Implement strict input validation to reject files with suspicious or malformed metadata structures
Consider using alternative metadata extraction tools that do not process DjVu format until patching is complete

bash

# Verify ExifTool version and check for vulnerable installations
exiftool -ver

# Update ExifTool on Debian/Ubuntu systems
sudo apt-get update && sudo apt-get install libimage-exiftool-perl

# Update ExifTool on Fedora systems
sudo dnf update perl-Image-ExifTool

CVE-2021-22204 Overview

Critical Impact
This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog and has been actively exploited in the wild, including in attacks against GitLab servers. The exploit enables remote code execution through a seemingly innocuous image file upload.

Affected Products

ExifTool versions 7.44 and up (prior to the patch)
Debian Linux 9.0 and 10.0
Fedora 32, 33, and 34

Discovery Timeline

April 23, 2021 - CVE-2021-22204 published to NVD
November 3, 2025 - Last updated in NVD database

Technical Details for CVE-2021-22204

Vulnerability Analysis

Root Cause

Attack Vector

The attack vector requires a victim to process a malicious DjVu file with ExifTool. In practice, this can occur through multiple scenarios:

Web Application Upload: Applications using ExifTool to extract metadata from user-uploaded images automatically trigger the vulnerability when processing a malicious file
Manual Processing: A user running ExifTool directly on a downloaded or received malicious image
Automated Pipelines: CI/CD systems, backup tools, or media management systems that process images using ExifTool

For detailed technical analysis of the exploitation mechanism, refer to the HackerOne Report #1154542 and the Packet Storm Perl Injection advisory.

Detection Methods for CVE-2021-22204

Indicators of Compromise

Presence of DjVu files with unusually large or suspicious ANT annotation chunks on systems
Unexpected Perl process execution originating from ExifTool or related image processing services
Network connections or reverse shell activity initiated by processes associated with image metadata extraction
Web server logs showing uploads of .djvu files followed by anomalous system behavior

Detection Strategies

Monitor process execution chains for Perl interpreter spawning from web application contexts or ExifTool processes
Implement file integrity monitoring on ExifTool installations to detect unauthorized modifications
Deploy network detection rules to identify command-and-control traffic patterns following image upload events
Use endpoint detection to flag suspicious system calls originating from metadata extraction tools

Monitoring Recommendations

Enable verbose logging for ExifTool operations and monitor for parsing errors or unusual metadata fields
Configure SIEM rules to correlate image upload events with subsequent suspicious process creation or network activity
Implement application-layer firewall rules to inspect uploaded files for DjVu format with malicious annotation patterns
Review and monitor ExifTool version across all systems using software inventory tools

How to Mitigate CVE-2021-22204

Immediate Actions Required

Update ExifTool to the latest patched version immediately across all systems and applications
Audit all applications and services that integrate ExifTool for metadata extraction
Temporarily disable DjVu file processing if patching cannot be performed immediately
Implement file type validation to restrict uploads to known-safe formats where possible

Patch Information

The ExifTool project has released a security patch to address this vulnerability. The fix modifies how the DjVu parser handles annotation data, preventing code injection through the eval construct.

Review the official patch at the GitHub ExifTool Commit for technical details on the fix.

For Linux distributions:

Debian users should refer to DSA-4910 and the Debian LTS Announcement
Fedora users can obtain patches through the standard package update mechanism via Fedora Package Announcements

Workarounds

Block or quarantine DjVu file uploads at the web application firewall or file upload handler level
Run ExifTool in a sandboxed environment with restricted system access and network connectivity
Implement strict input validation to reject files with suspicious or malformed metadata structures
Consider using alternative metadata extraction tools that do not process DjVu format until patching is complete

bash

# Verify ExifTool version and check for vulnerable installations
exiftool -ver

# Update ExifTool on Debian/Ubuntu systems
sudo apt-get update && sudo apt-get install libimage-exiftool-perl

# Update ExifTool on Fedora systems
sudo dnf update perl-Image-ExifTool

CVE-2021-22204: Exiftool RCE Vulnerability via DjVu Files

CVE-2021-22204 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-22204

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-22204

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-22204

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2021-22204: Exiftool RCE Vulnerability via DjVu Files

CVE-2021-22204 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-22204

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-22204

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-22204

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform