An unpublished zero-day vulnerability in the self-hosted Git service at Gogs could allow attackers to gain remote code execution (RCE) in Internet-facing environments.
Designed as an alternative to GitHub Enterprise or GitLab and written in Go, Gogs are often exposed online for remote use.
This critical severity injection security flaw will no longer be assigned a CVE ID, affects the latest release versions (Gogs 0.14.2 and 0.15.0+dev), and can only be exploited by authorized attackers without administrative privileges.
However, although it requires basic user rights to run, Rapid7 senior security researcher Jonah Burges (who discovered the bug) said the vulnerability affects all Gogs servers by default.
“Since Gogs ships with open registration enabled by default (DISABLE_REGISTRATION = false) and no limit on repository creation (MAX_CREATION_LIMIT = -1), an unauthorized attacker could simply create an account and repository at any given event,” Burges warned Thursday.
“Any registered user who creates a repo automatically owns it. From there, enabling rebase rebase is a single change in settings, and the entire exploit chain can be run without any other user’s interaction.”
A successful exploit allows attackers to execute arbitrary code remotely such as Gogs server processing by pulling requests that use a malicious branch name to inject — skipped flag in the middle git rebase during compilation operation “Restart before compilation”.
They can abuse this security flaw “to compromise the server, read the entire cache at that time (including private areas of other users), dispose of information (password hashes, API tokens, SSH keys, 2FA secrets), turn to other programs accessible from the network, and modify any code of the hosted repository.”
Burges added that this vulnerability is similar to other conflict injection flaws (eg, CVE-2024-39933, CVE-2024-39932, CVE-2026-26194, and CVE-2024-39930) mentioned by Gogs in recent years, but never affected the different code) (Compile) different method.
A researcher reported the security flaw to Gogs maintainers on March 17, but they have yet to issue a patch or respond to other requests for status updates, despite acknowledging the report on March 28.
Internet security watchdog Shadowserver now tracks more than 2,400 Gogs servers exposed on the Internet, most of them in Asia (1,894) and Europe (319), while Shodan finds just over 1,000 IP addresses with Gogs’ fingerprint.
In early December, the Gogs security team patched another Gogs RCE vulnerability (CVE-2025-8110) that was exploited in a zero-day attack to crash hundreds of servers.
“Many of these scenarios are configured with ‘Open Registration’ enabled by default, creating a large attack surface,” Wiz security researchers (who reported the bug) said at the time.
Wiz Research found CVE-2025-8110 while investigating the vulnerable Gogs server in July and reported the bug to Gogs maintainers on July 17. They accepted Wiz’s report three months later, on October 30, and released patches for CVE-2025-8110 in early January.
On January 12, CISA confirmed the Wiz report that CVE-2025-8110 was subject to exploitation and added the security flaw to its catalog of exploitable vulnerabilities in the wild, ordering Federal Civilian Executive Branch (FCEB) agencies to secure their servers by February 2.
“This type of vulnerability is a common attack by malicious actors and poses a significant risk to government business,” CISA warned at the time.
Automated testing tools deliver real value, but they’re designed to answer one question: can an attacker deploy on a network? They are not designed to check that your controls are blocking threats, your firewall detection, or your cloud configs.
This guide covers the 6 areas you really need to verify.
Download Now
