Critical severityNVD Advisory· Published Jun 24, 2025· Updated Jun 25, 2025
Gogs deletion of internal files allows remote command execution
CVE-2024-56731
Description
Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. Allowing attackers to access and alter any users' code hosted on the same instance. This issue has been patched in version 0.13.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gogs.io/gogsGo | < 0.13.3 | 0.13.3 |
Affected products
3- ghsa-coords2 versions
< 0.13.3+ 1 more
- (no CPE)range: < 0.13.3
- (no CPE)range: < 0.0.20250730T213748-1.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-ccqv-43vm-4f3wghsaADVISORY
- github.com/advisories/GHSA-wj44-9vcg-wjq7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-56731ghsaADVISORY
- github.com/gogs/gogs/commit/77a4a945ae9a87f77e392e9066b560edb71b5de9ghsax_refsource_MISCWEB
- github.com/gogs/gogs/releases/tag/v0.13.3ghsax_refsource_MISCWEB
- github.com/gogs/gogs/security/advisories/GHSA-wj44-9vcg-wjq7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.