This critical issue affects many organizations using Gogs for private code hosting.
Gogs versions up to 0.13.3 suffer from CVE-2025-64111, an OS command injection bug with a CVSS score of 9.3.
It stems from an incomplete fix for a prior vulnerability, letting attackers update .git/config files via the repository PUT contents API.
Attackers create a symlink to .git/config, push it, then use the API to inject malicious Git config like SSH commands, leading to remote code execution (RCE) on the server.
First, an attacker with repo push access adds a symlink: ln -s .git/config link, commits, and pushes it.
They then send a PUT request /api/v1/repos/{owner}/{repo}/contents/link with base64-encoded malicious config, such as sshCommand = touch /tmp/abc or custom remotes.
The API’s UpdateRepoFile skips key security checks, writing to .git/config and triggering RCE on Git operations.
Gogs faces additional risks like CVE-2025-64175 (CVSS 7.7), a 2FA bypass where attackers use their own recovery codes for any user’s login if they know the credentials.
Another, CVE-2026-24135 (CVSS 7.2), enables authenticated file deletion via wiki path traversal.
| CVE ID | Severity (CVSS) | Description | Affected Versions | Patched Versions | CWE |
|---|---|---|---|---|---|
| CVE-2025-64111 | Critical (9.3) | RCE via .git/config update in API | <=0.13.3 | 0.13.4, 0.14.0+dev | 78 |
| CVE-2025-64175 | High (7.7) | 2FA recovery code cross-account bypass | <=0.13.3 | 0.13.4, 0.14.0+dev | N/A |
| CVE-2026-24135 | High (7.2) | Path traversal file deletion in wiki | <=0.13.3 | 0.13.4, 0.14.0+dev | N/A |
Upgrade to Gogs 0.13.4 or 0.14.0+dev immediately. Disable public repo access, enforce strong auth, and monitor API endpoints.
Consider migrating to Gitea, an active Gogs fork without these issues. No public exploits exist yet, but the PoC makes it easy to weaponize.
This flaw highlights risks in self-hosted Git tools. Prompt patching prevents server takeovers in dev environments.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Critical Gogs Vulnerability Enables Remote Command Execution and 2FA Bypass appeared first on Cyber Security News.
A convincing fake website posing as the popular Mac utility CleanMyMac is actively pushing dangerous…
A new data-stealing malware called BoryptGrab has been quietly spreading across Windows systems through a…
The rumored "HomePod with a screen" we've heard so much about was reportedly lined up…
Department of Homeland Security. | Image: The Verge Chaos reigned at airports across the country…
City and project leaders recently broke ground on a new well and water treatment facility…
If you're in the market for the biggest and baddest mobile desktop replacement at a…
This website uses cookies.