Critical Gogs Vulnerability Allows Unauthenticated Remote Code Execution

Post Views: 6

Critical Gogs Zero-Day Allows Attackers to Execute Arbitrary Commands on Servers

Gogs, a widely used open-source self-hosted Git service, has fallen victim to a severe zero-day vulnerability that enables attackers to execute arbitrary commands on vulnerable servers.

The Vulnerability Details

The issue, rated critically severe with a CVSS score of 9.4, was discovered by Rapid7 and resides in the ‘Rebase before merging’ feature of Gogs.

According to Rapid7, “Attackers can exploit this vulnerability by crafting malicious branch names that are passed to the ‘git rebase’ function without proper sanitization.”

Since the ‘Rebase before merging’ feature is not enabled by default, any repository owner or administrator can easily activate it, allowing an attacker to initiate the exploitation process without requiring user interaction.

The Exploitation Process

An attacker creates an account and repository on any default-configured instance of Gogs.
The attacker crafts a malicious branch name that includes the ‘exec flag, which executes a shell command after replaying each commit.
The attacker replays each commit, executing the malicious argument included in the branch name.

According to Rapid7, “An unauthenticated attacker can create an account and repository on any default-configured instance of Gogs, making it easy for them to exploit this vulnerability.” An attacker with write access to a repository that has ‘rebase enabled can exploit this flaw directly, resulting in arbitrary command execution as the Gogs server process user.

This grants the attacker the ability to compromise the server, read every repository on the instance, dump sensitive information such as password hashes, API tokens, and SSH keys, and even modify hosted repository code.

Avoiding the Vulnerability

Rapid7 has released a Metasploit module that automates the entire exploit chain, along with indicators of compromise (IoCs) to aid defenders in identifying potential vulnerabilities. Unfortunately, the vulnerability remains unpatched, despite being reported to Gogs maintainers in mid-March.

This marks the second Gogs zero-day to be disclosed publicly in recent months, following the discovery of CVE-2025-8110 in December. The severity of this vulnerability highlights the importance of timely patching and vigilance in protecting against emerging threats.