CVE-2024-44625

Vulnerability

Description

CVE-2024-44625 is a directory traversal vulnerability in Gogs, a self-hosted Git service, affecting versions up to and including 0.13.0. The flaw resides in the editFilePost function within internal/route/repo/editor.go. When a user edits a file through the web interface, the UpdateRepoFile function performs filesystem operations on a clone of the repository. The path validation is insufficient, allowing an attacker to craft filename parameters containing directory traversal sequences (e.g., ../) to write files outside the intended repository directory [1][4].

Exploitation

Prerequisites

Exploitation requires an authenticated user who has push access to a repository and can edit files via the web interface. The attacker must submit a specially crafted POST request to the /:username/:reponame/_edit/:branch/:filepath endpoint. No special network position is needed beyond normal access to the Gogs instance; a default installation is exploitable [1].

Impact

By traversing out of the repository working directory, an attacker can overwrite critical files on the server, such as Go templates, configuration files, or startup scripts. This arbitrary file write capability can be leveraged to achieve remote code execution under the context of the Gogs process, leading to full server compromise [1].

Mitigation

Status

As of the publication date, the Gogs maintainers have not acknowledged the report and no patch has been released. The vulnerability remains unpatched in the latest release (0.13.0). Users are advised to restrict access to trusted users, disable open registration, implement strong authentication, and consider migrating to Gitea, an actively maintained fork that is not affected [1].