Critical RCE Vulnerability in Gogs Exposes Self-Hosted Git Instances A severe security flaw in Gogs, a widely used open-source self-hosted Git service, has been disclosed, allowing authenticated users to execute arbitrary code under specific conditions. The vulnerability, rated 9.4 on the CVSS scale, lacks a CVE identifier but poses a significant risk to unpatched instances. The flaw enables remote code execution (RCE) by exploiting the `--exec` flag in `git rebase` during a "Rebase before merging" operation. An attacker can trigger the exploit by creating a malicious branch name in a pull request. Notably, the attack does not require admin privileges or interaction from other users only a registered account and repository ownership, which Gogs grants by default. In cases where repository creation is restricted, an attacker with write access to a repository with rebase merging enabled can still exploit the vulnerability. Successful exploitation could lead to server compromise, credential theft, lateral movement, and tampering with hosted code. Additionally, the flaw may enable cross-tenant data breaches, exposing private repositories on shared servers. The vulnerability affects all supported platforms (Windows, Linux, macOS) and was reported to Gogs maintainers on March 17, 2026, but remains unpatched. While 1,141 internet-facing Gogs instances have been identified, the actual number of vulnerable deployments is likely higher, as many are behind VPNs or internal networks. Security firm Rapid7 has developed a Metasploit module to automate exploitation, supporting two attack modes: one that creates and deletes a temporary repository (leaving minimal logs) and another targeting an existing repository with write access. The flaw underscores the risks of unpatched self-hosted Git services in enterprise and open-source environments.

Critical Gogs Vulnerability (CVE-2026-25921) Exposes Self-Hosted Git Services to Supply-Chain Attacks A severe security flaw in Gogs, a popular open-source self-hosted Git service, has been identified, allowing unauthenticated attackers to silently overwrite Git Large File Storage (LFS) objects across repositories. Tracked as CVE-2026-25921 (CVSS 9.3), the vulnerability affects Gogs versions 0.14.1 and earlier and could enable stealthy supply-chain attacks by replacing legitimate files with malicious payloads, such as backdoored binaries or scripts. ### Vulnerability Details The flaw stems from CWE-345 (Insufficient Verification of Data Authenticity) in Gogs’ LFS storage architecture. Key issues include: - No repository-level isolation: LFS objects are stored in a global directory, with paths determined solely by the Object ID (OID), allowing cross-repository manipulation. - Missing hash verification: Gogs does not validate whether uploaded files match their declared SHA-256 hash, enabling attackers to substitute files without detection. ### Impact & Risks Exploiting this vulnerability could allow attackers to: - Replace critical project files (e.g., datasets, compiled binaries) with malicious versions. - Compromise software supply chains by injecting backdoors into repositories. - Evade detection, as the attack does not require authentication. ### Mitigation & Patch The vulnerability was disclosed by security researcher zjuchenyuan via a GitHub advisory. Gogs maintainers have released version 0.14.2, which enforces strict hash verification for LFS objects. Recommended actions: - Upgrade to Gogs 0.14.2 or later immediately. - Audit existing LFS objects to ensure no unauthorized modifications occurred before patching. - Restrict access or disable public registrations if patching is delayed. The flaw underscores the risks of unverified file storage in self-hosted Git services, particularly for organizations managing sensitive or widely distributed codebases.

CISA Adds Actively Exploited Gogs Vulnerability to KEV Catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-8110, a remote code execution (RCE) vulnerability in the Gogs self-hosted Git service, to its Known Exploited Vulnerabilities (KEV) Catalog. The flaw has been under active exploitation since at least July 2025, despite only being formally cataloged in December. Researchers at Wiz uncovered the campaign while investigating a malware-infected system, later identifying widespread abuse of the vulnerability a bypass of a previous Gogs RCE flaw (CVE-2024-55947). The issue stems from an incomplete patch that failed to account for symbolic links, allowing attackers to overwrite files outside repositories and execute arbitrary commands. As of December 2025, over 1,400 internet-facing Gogs instances were detected, with more than half compromised by Supershell-based malware. Infected systems shared a distinct pattern: eight-character random owner/repo names created around July 10, suggesting a single threat actor or coordinated group. While Gogs maintainers are working on a fix, no patch is currently available, leaving vulnerable instances exposed.

Critical RCE and 2FA Bypass Flaws Discovered in Gogs Self-Hosted Git Service A severe security vulnerability in Gogs, a lightweight self-hosted Git service, has been uncovered, allowing attackers to execute remote code (RCE) and bypass two-factor authentication (2FA). The flaws affect organizations using Gogs for private code hosting, with versions up to 0.13.3 impacted. The most critical issue, CVE-2025-64111 (CVSS 9.3), stems from an incomplete fix for a prior vulnerability. Attackers with repository push access can exploit the PUT contents API to inject malicious Git configurations, such as SSH commands, by creating a symlink to `.git/config`. This enables RCE on the server during Git operations. The attack involves: 1. Creating a symlink (`ln -s .git/config link`) and pushing it to the repository. 2. Sending a crafted PUT request with a base64-encoded malicious config (e.g., `sshCommand = touch /tmp/abc`). 3. Bypassing security checks in the `UpdateRepoFile` function, leading to arbitrary code execution. Additionally, CVE-2025-64175 (CVSS 7.7) allows attackers to bypass 2FA by using their own recovery codes to log in as any user if they know the credentials. Another flaw, CVE-2026-24135 (CVSS 7.2), permits authenticated file deletion via wiki path traversal. Affected Versions: Gogs ≤ 0.13.3 Patched Versions: 0.13.4 and 0.14.0+dev No public exploits have been observed, but proof-of-concept (PoC) code increases the risk of weaponization. The vulnerabilities underscore the risks of self-hosted Git tools, particularly in development environments. Organizations are advised to upgrade immediately to mitigate potential server takeovers. Alternatives like Gitea, an actively maintained fork of Gogs, do not suffer from these issues.