Critical RCE Vulnerability Disclosed in Gogs Git Service
Patch Gogs to the latest version to eliminate the RCE vulnerability.
Upgrade Gogs to the patched release immediately.
Summary
A critical vulnerability has been disclosed in Gogs, a popular open-source self-hosted Git service, that allows an authenticated user to execute arbitrary code under certain conditions. Rapid7 rated the flaw a 9.4 CVSS score, indicating a severe risk level. The vulnerability enables remote code execution (RCE) for users who have authenticated to the Gogs instance. No CVE identifier has been assigned yet, but the flaw is actively exploitable in the wild.
The flaw is triggered when an attacker crafts a malicious request that bypasses the authentication checks and executes arbitrary commands on the host. Gogs developers have released a patch that tightens input validation and removes the vulnerable code path. Users are urged to upgrade to the latest Gogs release immediately to mitigate the RCE risk. Failure to patch could allow attackers to gain full control over the server hosting the Git repository.
Key changes
- Gogs flaw allows authenticated users to execute arbitrary code (RCE) under certain conditions
- CVSS score 9.4, no CVE assigned yet
- Vulnerability bypasses authentication checks to run arbitrary commands
- Patch tightens input validation and removes vulnerable code path
- Users must upgrade to the latest Gogs release immediately