High severityNVD Advisory· Published Dec 23, 2024· Updated Dec 24, 2024
Gogs has a Path Traversal in file update API
CVE-2024-55947
Description
Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gogs.io/gogsGo | < 0.13.1 | 0.13.1 |
Affected products
1Patches
19a9388ace25bapi: clean file path for updating repo contents (#7859)
5 files changed · +15 −2
internal/database/repo_editor.go+1 −0 modified@@ -541,6 +541,7 @@ func (repo *Repository) UploadRepoFiles(doer *User, opts UploadRepoFileOptions) continue } + // 🚨 SECURITY: Prevent path traversal. upload.Name = pathutil.Clean(upload.Name) // 🚨 SECURITY: Prevent uploading files into the ".git" directory
internal/pathutil/pathutil.go+3 −0 modified@@ -11,6 +11,9 @@ import ( // Clean cleans up given path and returns a relative path that goes straight // down to prevent path traversal. +// +// 🚨 SECURITY: This function MUST be used for any user input that is used as +// file system path to prevent path traversal. func Clean(p string) string { p = strings.ReplaceAll(p, `\`, "/") return strings.Trim(path.Clean("/"+p), "/")
internal/route/api/v1/repo/contents.go+7 −2 modified@@ -16,6 +16,7 @@ import ( "gogs.io/gogs/internal/context" "gogs.io/gogs/internal/database" "gogs.io/gogs/internal/gitutil" + "gogs.io/gogs/internal/pathutil" "gogs.io/gogs/internal/repoutil" ) @@ -120,7 +121,8 @@ func GetContents(c *context.APIContext) { return } - treePath := c.Params("*") + // 🚨 SECURITY: Prevent path traversal. + treePath := pathutil.Clean(c.Params("*")) entry, err := commit.TreeEntry(treePath) if err != nil { c.NotFoundOrError(gitutil.NewError(err), "get tree entry") @@ -188,7 +190,10 @@ func PutContents(c *context.APIContext, r PutContentsRequest) { if r.Branch == "" { r.Branch = c.Repo.Repository.DefaultBranch } - treePath := c.Params("*") + + // 🚨 SECURITY: Prevent path traversal. + treePath := pathutil.Clean(c.Params("*")) + err = c.Repo.Repository.UpdateRepoFile( c.User, database.UpdateRepoFileOptions{
internal/route/repo/editor.go+3 −0 modified@@ -135,6 +135,7 @@ func editFilePost(c *context.Context, f form.EditRepoFile, isNewFile bool) { branchName = f.NewBranchName } + // 🚨 SECURITY: Prevent path traversal. f.TreePath = pathutil.Clean(f.TreePath) treeNames, treePaths := getParentTreeFields(f.TreePath) @@ -342,6 +343,7 @@ func DeleteFilePost(c *context.Context, f form.DeleteRepoFile) { c.PageIs("Delete") c.Data["BranchLink"] = c.Repo.RepoLink + "/src/" + c.Repo.BranchName + // 🚨 SECURITY: Prevent path traversal. c.Repo.TreePath = pathutil.Clean(c.Repo.TreePath) c.Data["TreePath"] = c.Repo.TreePath @@ -437,6 +439,7 @@ func UploadFilePost(c *context.Context, f form.UploadRepoFile) { branchName = f.NewBranchName } + // 🚨 SECURITY: Prevent path traversal. f.TreePath = pathutil.Clean(f.TreePath) treeNames, treePaths := getParentTreeFields(f.TreePath) if len(treeNames) == 0 {
internal/route/repo/http.go+1 −0 modified@@ -411,6 +411,7 @@ func HTTP(c *HTTPContext) { return } + // 🚨 SECURITY: Prevent path traversal. cleaned := pathutil.Clean(m[1]) if m[1] != "/"+cleaned { c.Error(http.StatusBadRequest, "Request path contains suspicious characters")
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-qf5v-rp47-55ggghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-55947ghsaADVISORY
- github.com/gogs/gogs/commit/9a9388ace25bd646f5098cb9193d983332c34e41ghsax_refsource_MISCWEB
- github.com/gogs/gogs/issues/7582ghsax_refsource_MISCWEB
- github.com/gogs/gogs/pull/7859ghsax_refsource_MISCWEB
- github.com/gogs/gogs/security/advisories/GHSA-qf5v-rp47-55ggghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.