A critical zero-day vulnerability has been discovered in Gogs, a widely used self-hosted Git platform, that allows any authenticated user to execute arbitrary commands on the underlying server. Security researcher Jonah Burgess at Rapid7 Labs identified the flaw, which affects the latest stable release (version 0.14.2) and the development build. The vulnerability has been assigned a CVSSv4 score of 9.4, indicating critical severity.
Exploitation and Impact
The vulnerability resides in Gogs’ “Rebase before merging” merge operation. The exploit targets the Merge() function, which passes pull request base branch names directly to a git rebase command without proper sanitization. An attacker can craft a malicious branch name containing Git command flags, such as –exec with a command payload. When the rebase merge is triggered, Git interprets the malicious branch name as a command flag, executing the attacker’s code on the server.
The low barrier to entry makes this vulnerability particularly dangerous. Gogs ships with open user registration and unlimited repository creation enabled by default. An unauthenticated attacker can register an account, create a repository, enable rebase merging, and launch the full exploit chain without requiring any interaction from other users or administrative privileges.
Potential Consequences
Successful exploitation can lead to server compromise, cross-tenant data breaches (including reading private repositories), credential theft (password hashes, API tokens, SSH keys, and 2FA secrets from the database), lateral movement to other network systems, and supply chain attacks through silent modification of hosted repository code. With approximately 50,000 GitHub stars, Gogs has a substantial user base, making this vulnerability a significant concern for organizations using the platform. No patch was available at the time of publication.
Source: Cyber Security News
