By rssfeeds-admin 
This critical issue affects many organizations using Gogs for private code hosting.
Vulnerability Overview
Gogs versions up to 0.13.3 suffer from CVE-2025-64111, an OS command injection bug with a CVSS score of 9.3.
It stems from an incomplete fix for a prior vulnerability, letting attackers update .git/config files via the repository PUT contents API.
Attackers create a symlink to .git/config, push it, then use the API to inject malicious Git config like SSH commands, leading to remote code execution (RCE) on the server.
First, an attacker with repo push access adds a symlink: ln -s .git/config link, commits, and pushes it.
They then send a PUT request /api/v1/repos/{owner}/{repo}/contents/link with base64-encoded malicious config, such as sshCommand = touch /tmp/abc or custom remotes.
The API’s UpdateRepoFile skips key security checks, writing to .git/config and triggering RCE on Git operations.
Gogs faces additional risks like CVE-2025-64175 (CVSS 7.7), a 2FA bypass where attackers use their own recovery codes for any user’s login if they know the credentials.
Another, CVE-2026-24135 (CVSS 7.2), enables authenticated file deletion via wiki path traversal.
| CVE ID | Severity (CVSS) | Description | Affected Versions | Patched Versions | CWE |
|---|---|---|---|---|---|
| CVE-2025-64111 | Critical (9.3) | RCE via .git/config update in API | <=0.13.3 | 0.13.4, 0.14.0+dev | 78 |
| CVE-2025-64175 | High (7.7) | 2FA recovery code cross-account bypass | <=0.13.3 | 0.13.4, 0.14.0+dev | N/A |
| CVE-2026-24135 | High (7.2) | Path traversal file deletion in wiki | <=0.13.3 | 0.13.4, 0.14.0+dev | N/A |
Upgrade to Gogs 0.13.4 or 0.14.0+dev immediately. Disable public repo access, enforce strong auth, and monitor API endpoints.
Consider migrating to Gitea, an active Gogs fork without these issues. No public exploits exist yet, but the PoC makes it easy to weaponize.
This flaw highlights risks in self-hosted Git tools. Prompt patching prevents server takeovers in dev environments.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Critical Gogs Vulnerability Enables Remote Command Execution and 2FA Bypass appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.