Gogs deletion of internal files allows remote command execution
Description
Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. Allowing attackers to access and alter any users' code hosted on the same instance. This issue has been patched in version 0.13.3.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gogs.io/gogsGo | < 0.13.3 | 0.13.3 |
Affected products
1Patches
177a4a945ae9arepo: prevent preview and delete files in `.git` directories (#7870)
1 file changed · +10 −0
internal/database/repo_editor.go+10 −0 modified@@ -220,6 +220,11 @@ func (repo *Repository) UpdateRepoFile(doer *User, opts UpdateRepoFileOptions) ( // GetDiffPreview produces and returns diff result of a file which is not yet committed. func (repo *Repository) GetDiffPreview(branch, treePath, content string) (diff *gitutil.Diff, err error) { + // 🚨 SECURITY: Prevent uploading files into the ".git" directory + if isRepositoryGitPath(treePath) { + return nil, errors.Errorf("bad tree path %q", treePath) + } + repoWorkingPool.CheckIn(com.ToStr(repo.ID)) defer repoWorkingPool.CheckOut(com.ToStr(repo.ID)) @@ -283,6 +288,11 @@ type DeleteRepoFileOptions struct { } func (repo *Repository) DeleteRepoFile(doer *User, opts DeleteRepoFileOptions) (err error) { + // 🚨 SECURITY: Prevent uploading files into the ".git" directory + if isRepositoryGitPath(opts.TreePath) { + return errors.Errorf("bad tree path %q", opts.TreePath) + } + repoWorkingPool.CheckIn(com.ToStr(repo.ID)) defer repoWorkingPool.CheckOut(com.ToStr(repo.ID))
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-ccqv-43vm-4f3wghsaADVISORY
- github.com/advisories/GHSA-wj44-9vcg-wjq7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-56731ghsaADVISORY
- github.com/gogs/gogs/commit/77a4a945ae9a87f77e392e9066b560edb71b5de9ghsax_refsource_MISCWEB
- github.com/gogs/gogs/releases/tag/v0.13.3ghsax_refsource_MISCWEB
- github.com/gogs/gogs/security/advisories/GHSA-wj44-9vcg-wjq7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.