Gogs: Critical Gogs Vulnerability Enables Remote Command Execution and 2FA Bypass

Critical RCE and 2FA Bypass Flaws Discovered in Gogs Self-Hosted Git Service

A severe security vulnerability in Gogs, a lightweight self-hosted Git service, has been uncovered, allowing attackers to execute remote code (RCE) and bypass two-factor authentication (2FA). The flaws affect organizations using Gogs for private code hosting, with versions up to 0.13.3 impacted.

The most critical issue, CVE-2025-64111 (CVSS 9.3), stems from an incomplete fix for a prior vulnerability. Attackers with repository push access can exploit the PUT contents API to inject malicious Git configurations, such as SSH commands, by creating a symlink to .git/config. This enables RCE on the server during Git operations. The attack involves:

1. Creating a symlink (ln -s .git/config link) and pushing it to the repository.
2. Sending a crafted PUT request with a base64-encoded malicious config (e.g., sshCommand = touch /tmp/abc).
3. Bypassing security checks in the UpdateRepoFile function, leading to arbitrary code execution.

Additionally, CVE-2025-64175 (CVSS 7.7) allows attackers to bypass 2FA by using their own recovery codes to log in as any user if they know the credentials. Another flaw, CVE-2026-24135 (CVSS 7.2), permits authenticated file deletion via wiki path traversal.

Affected Versions: Gogs ≤ 0.13.3
Patched Versions: 0.13.4 and 0.14.0+dev
No public exploits have been observed, but proof-of-concept (PoC) code increases the risk of weaponization.

The vulnerabilities underscore the risks of self-hosted Git tools, particularly in development environments. Organizations are advised to upgrade immediately to mitigate potential server takeovers. Alternatives like Gitea, an actively maintained fork of Gogs, do not suffer from these issues.

Source: https://cyberpress.org/gogs-vulnerability/

GOG cybersecurity rating report: https://www.rankiteo.com/company/gogcom

"id": "GOG1770738763",
"linkid": "gogcom",
"type": "Vulnerability",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'customers_affected': 'Organizations using Gogs for '
                                              'private code hosting (versions '
                                              '≤ 0.13.3)',
                        'industry': 'Software Development',
                        'name': 'Gogs',
                        'type': 'Software (Self-hosted Git service)'}],
 'attack_vector': 'PUT contents API exploitation via symlink injection',
 'customer_advisories': 'Organizations using Gogs are advised to upgrade to '
                        'patched versions to mitigate potential server '
                        'takeovers',
 'data_breach': {'sensitivity_of_data': 'Potential exposure of private '
                                        'repository data'},
 'description': 'A severe security vulnerability in Gogs, a lightweight '
                'self-hosted Git service, has been uncovered, allowing '
                'attackers to execute remote code (RCE) and bypass two-factor '
                'authentication (2FA). The flaws affect organizations using '
                'Gogs for private code hosting, with versions up to 0.13.3 '
                'impacted. The most critical issue, CVE-2025-64111 (CVSS 9.3), '
                'stems from an incomplete fix for a prior vulnerability. '
                'Attackers with repository push access can exploit the PUT '
                'contents API to inject malicious Git configurations, enabling '
                'RCE on the server. Additionally, CVE-2025-64175 (CVSS 7.7) '
                'allows 2FA bypass using recovery codes, and CVE-2026-24135 '
                '(CVSS 7.2) permits authenticated file deletion via wiki path '
                'traversal.',
 'impact': {'brand_reputation_impact': 'Risk of reputational damage due to '
                                       'security flaws in self-hosted Git '
                                       'tools',
            'operational_impact': 'Potential server takeover, unauthorized '
                                  'access to private repositories',
            'systems_affected': 'Gogs self-hosted Git service (versions ≤ '
                                '0.13.3)'},
 'lessons_learned': 'Risks of self-hosted Git tools in development '
                    'environments, importance of timely patching and '
                    'monitoring for API-based exploits',
 'post_incident_analysis': {'corrective_actions': 'Patch vulnerabilities, '
                                                  'improve API security '
                                                  'checks, enforce stricter '
                                                  '2FA validation',
                            'root_causes': 'Incomplete fix for prior '
                                           'vulnerability, insufficient input '
                                           'validation in PUT contents API, '
                                           'lack of proper 2FA enforcement'},
 'recommendations': 'Upgrade to Gogs 0.13.4 or 0.14.0+dev immediately, '
                    'consider migrating to actively maintained alternatives '
                    'like Gitea, implement enhanced monitoring for Git '
                    'operations',
 'references': [{'source': 'Security Advisory'}],
 'response': {'containment_measures': 'Upgrade to patched versions (0.13.4 or '
                                      '0.14.0+dev)',
              'remediation_measures': 'Apply security patches, monitor for '
                                      'malicious activity'},
 'title': 'Critical RCE and 2FA Bypass Flaws Discovered in Gogs Self-Hosted '
          'Git Service',
 'type': ['Remote Code Execution (RCE)', '2FA Bypass', 'Path Traversal'],
 'vulnerability_exploited': ['CVE-2025-64111',
                             'CVE-2025-64175',
                             'CVE-2026-24135']}