New zero-day flaw in Gogs allows hackers to remotely execute code

An unpatched zero-day vulnerability within the Gogs self-hosted Git service may permit an attacker to achieve distant code execution (RCE) on an internet-facing occasion.

Designed as an alternative choice to GitHub Enterprise and GitLab and written in Go, Gogs is commonly revealed on-line for distant collaboration.

This severity argument injection safety flaw has not but been assigned a CVE ID, impacts the newest launched variations (Gogs 0.14.2 and 0.15.0+dev), and may solely be exploited by an authenticated attacker with out administrative privileges.

Nevertheless, regardless of requiring primary person privileges to take advantage of, Rapid7 senior safety researcher Jonah Burges (who found the flaw) stated the vulnerability impacts all Gogs servers with default settings.

“Gogs ships with open registration enabled by default (DISABLE_REGISTRATION = false) and no restrict on repository creation (MAX_CREATION_LIMIT = -1), making it straightforward for unauthenticated attackers to create accounts and repositories on default-configured cases,” Burges warned Thursday.

“A registered person who creates a repository robotically turns into its proprietor. From there, they’ll allow rebase merging with a single configuration toggle and manipulate your entire exploit chain with out every other person interplay.”

A profitable exploit may permit the attacker to remotely execute arbitrary code by way of a pull request that injects the “—exe” c flag to git rebase with a malicious department title throughout a “rebase earlier than merge” merge operation when the Gogs server serves a person.

They may exploit this safety flaw to “compromise the server, learn all repositories on the occasion (together with different customers’ non-public repositories), dump credentials (password hashes, API tokens, SSH keys, 2FA secrets and techniques), pivot to different techniques accessible on the community, and modify the code of hosted repositories.”

Burges added that this vulnerability is much like different argument injection flaws that Gogs has addressed lately (equivalent to CVE-2024-39933, CVE-2024-39932, CVE-2026-26194, and CVE-2024-39930), but it surely impacts one other unpatched code path (Merge()).

Researchers reported this safety flaw to Gogs’ directors on March seventeenth, however regardless of acknowledging the report on March twenty eighth, they’ve but to offer a patch or reply to additional requests for standing updates.

Web safety watchdog Shadowserver presently tracks greater than 2,400 Gogs servers on-line, most of them in Asia (1,894) and Europe (319), whereas Shodan discovered simply over 1,000 IP addresses with Gogs’ fingerprints.

In early December, the Gogs safety staff patched one other Gogs RCE vulnerability (CVE-2025-8110) that was exploited in a zero-day assault that compromised a whole bunch of servers.

“Many of those cases are configured with ‘open enrollment’ enabled by default, creating a big assault floor,” Wiz safety researchers (who reported the flaw) stated on the time.

Wiz Analysis found CVE-2025-8110 whereas investigating a compromise of internet-facing Gogs servers in July and reported the flaw to Gogs maintainers on July seventeenth. They acknowledged Wiz’s report three months in a while October thirtieth and launched the CVE-2025-8110 patch in early January.

On January 12, CISA confirmed Wiz’s report that CVE-2025-8110 is being actively exploited, added the safety flaw to its catalog of actively exploited vulnerabilities, and ordered Federal Civilian Govt Department (FCEB) companies to safe their servers by February 2.

“These kind of vulnerabilities are a frequent assault vector by malicious cyber attackers and pose important dangers to federal enterprises,” CISA warned on the time.