Critical Gogs Vulnerability Allows Attackers to Silently Overwrite Large File Storage Objects

A critical security vulnerability has been discovered in Gogs, a widely used open‑source self‑hosted Git service, that could allow attackers to silently overwrite Git Large File Storage (LFS) objects across repositories.

The flaw, tracked as CVE-2026-25921, carries a CVSS v3.1 score of 9.3 and affects Gogs versions 0.14.1 and earlier.

Security researchers warn that the vulnerability could enable stealthy software supply‑chain attacks

by allowing unauthenticated attackers to replace legitimate project files with malicious payloads such as backdoored binaries or scripts.

Vulnerability Overview

CVE-2026-25921 is classified under CWE-345, which refers to insufficient verification of data authenticity. The issue exists in how Gogs handles Git Large File Storage objects.

Git LFS is designed to manage large files such as datasets, media files, and compiled binaries by storing them separately from the main Git repository.

Instead of storing the full file in Git, the repository contains a small pointer that references the file stored on a remote server.

In affected Gogs versions, weaknesses in the LFS storage architecture allow attackers to manipulate these objects without authentication.

Key details of the vulnerability include:

• CVE ID: CVE-2026-25921
• Severity: Critical (CVSS 9.3)
• Affected Software: gogs.io/gogs
• Affected Versions: 0.14.1 and earlier
• Patched Version: 0.14.2
• Weakness Type: CWE-345 (Insufficient Verification of Data Authenticity)

The vulnerability results from multiple design issues in how Gogs stores and verifies LFS objects.

First, Gogs does not isolate LFS objects by repository. All LFS files are stored in a single global directory tree, and the storage path is determined solely by the Object ID (OID).

Since the OID is not tied to a specific repository ID, objects are effectively shared across the entire Gogs instance.

Second, the platform fails to verify that uploaded files actually match their declared SHA‑256 hash value.

The client provides the hash used as the OID, but Gogs does not validate whether the uploaded file content corresponds to that hash.

Mitigations and Remediation

The vulnerability was disclosed by security researcher zjuchenyuan through a GitHub security advisory. Gogs maintainers have released version 0.14.2 to address the issue.

Organizations using Gogs should take the following steps immediately:

• Update to Gogs version 0.14.2 or later, which enforces strict verification to ensure uploaded LFS objects match their declared SHA‑256 hashes.
• Audit and verify the integrity of existing LFS objects to ensure no files were overwritten before patching.
• Restrict access to Gogs instances or disable public registrations temporarily if immediate patching is not possible.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Critical Gogs Vulnerability Allows Attackers to Silently Overwrite Large File Storage Objects appeared first on Cyber Security News.