Gogs patches critical RCE zero-day exposing private repos and credentials
Gogs, a popular self-hosted Git service, has finally patched a critical zero-day that Rapid7 disclosed in late May when no fix existed. The flaw (CVSS 9.4, no CVE assigned yet) lets a logged-in user with no admin rights run commands on the server by opening a pull request whose branch name secretly injects an exec option into a git rebase. Because Gogs ships with open registration on by default, an attacker can simply create an account to reach it. Successful exploitation means full server takeover: reading every private repository, dumping password hashes, API tokens, SSH keys, and 2FA secrets, and tampering with hosted source code.
- Check
- Identify internet-facing Gogs instances and their version, check whether open registration is enabled, and review logs for unexpected pull requests with unusual branch names or new low-privilege accounts.
- Affected
- Self-hosted Gogs servers up to and including 0.14.2 and 0.15.0+dev, especially those with the default open registration and unlimited repository creation enabled.
- Fix
- Upgrade to the patched Gogs release immediately. As interim mitigation, disable open registration and restrict repository creation, and rotate any credentials or tokens stored on the server.