High severityNVD Advisory· Published Feb 6, 2026· Updated Feb 26, 2026
Gogs Vulnerable to 2FA Bypass via Recovery Code
CVE-2025-64175
Description
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim’s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gogs.io/gogsGo | >= 0.11.19, < 0.13.4 | 0.13.4 |
Affected products
3- ghsa-coords2 versions
>= 0.11.19, < 0.13.4+ 1 more
- (no CPE)range: >= 0.11.19, < 0.13.4
- (no CPE)range: < 0.0.20260226T182644-150000.1.149.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-p6x6-9mx6-26wjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64175ghsaADVISORY
- github.com/gogs/gogs/commit/a617d52374e937db0edacfba2a26bdd14a05538eghsaWEB
- github.com/gogs/gogs/commit/d568e048315dc9729c8518d8085cab7dbbfac80fghsaWEB
- github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wjghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.