Unpatched Flaw in Gogs Git Service Opens Door to Remote Attackers

The Vulnerability and Exploitation Method

A critical zero-day vulnerability has been discovered in Gogs, a self-hosted Git service often used as a lightweight alternative to GitHub Enterprise or GitLab. The flaw, which affects the latest releases including version 0.14.2 and the 0.15.0 development branch, allows authenticated users to achieve remote code execution on internet facing instances. Discovery of the vulnerability is credited to researcher Jonah Burgess at Rapid7.

Contents

The Vulnerability and Exploitation Method Impact and Scope

The exploit works through an argument injection weakness in the git rebase command. An attacker with a basic user account can create a repository and enable rebase merging in the settings. By submitting a pull request with a maliciously crafted branch name, the attacker injects the ` –exec ` flag into the git rebase operation during the merge process. This allows arbitrary code to run on the server under the Gogs process user identity.

Impact and Scope

Successful exploitation gives attackers full control over the targeted Gogs server. They can read all repositories including private ones belonging to other users, dump sensitive credentials such as password hashes, API tokens, SSH keys, and two factor authentication secrets, pivot to other systems on the same network, and modify any hosted code. The risk is amplified because Gogs ships with open registration enabled by default, meaning an unauthenticated attacker can simply create an account on any instance that has not been hardened.

The flaw was reported to the Gogs maintainers in mid March, and while they acknowledged the report roughly ten days later, no patch has been released and further requests for updates have gone unanswered. This is the second critical RCE vulnerability to hit Gogs in recent months, following a separate zero-day that was exploited in widespread attacks and later added to the CISA catalog. Internet scanning data from Shadowserver shows over 2,400 exposed Gogs servers, predominantly in Asia and Europe, presenting a significant and growing attack surface.

Source: BleepingComputer

Unpatched Flaw in Gogs Git Service Opens Door to Remote Attackers

A newly disclosed argument injection flaw in the Gogs self-hosted Git service allows authenticated attackers to execute arbitrary code on exposed servers, with no patch yet available from maintainers.

The Vulnerability and Exploitation Method

Impact and Scope

Trending

Active Exploitation of PAN OS Authentication Flaw Targets Global Protect Gateways

Android Malware Builder BTMOB Lets Attackers Craft Custom Phishing Apps

ChatGPT Summary Feature Exploited to Deliver Phishing Payloads

LLM Agent Automates Data Theft After Marimo Notebook Compromise

Developer Tools Turned Against Developers in Twin Supply Chain Campaigns

Related Stories

CISA Orders Federal Agencies to Patch Windows Zero-Day Exploited by Russian APT28

Google Engineer Charged for Using Confidential Data to Win Big on Prediction Market

EtherRAT Campaign Abuses Search Rankings and GitHub Trust to Infect IT Admins

Sophisticated npm Malware Campaign Steals Crypto Wallets and Developer Credentials