← All articles

Gogs patches critical RCE zero-day exposing private repos and credentials

Gogs, a popular self-hosted Git service, has finally patched a critical zero-day that Rapid7 disclosed in late May when no fix existed. The flaw (CVSS 9.4, no CVE assigned yet) lets a logged-in user with no admin rights run commands on the server by opening a pull request whose branch name secretly injects an exec option into a git rebase. Because Gogs ships with open registration on by default, an attacker can simply create an account to reach it. Successful exploitation means full server takeover: reading every private repository, dumping password hashes, API tokens, SSH keys, and 2FA secrets, and tampering with hosted source code.

Check
Identify internet-facing Gogs instances and their version, check whether open registration is enabled, and review logs for unexpected pull requests with unusual branch names or new low-privilege accounts.
Affected
Self-hosted Gogs servers up to and including 0.14.2 and 0.15.0+dev, especially those with the default open registration and unlimited repository creation enabled.
Fix
Upgrade to the patched Gogs release immediately. As interim mitigation, disable open registration and restrict repository creation, and rotate any credentials or tokens stored on the server.