VYPR
← All advisories
High severity8.5GHSA Advisory· Published Jun 16, 2026· Updated Jun 16, 2026

Gogs: Overwriting critical files results in a denial of service

CVE-2026-52797

Description

An authorized user can exploit a path traversal in Gogs' diff preview endpoint to overwrite arbitrary files, causing denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An authorized user can exploit a path traversal in Gogs' diff preview endpoint to overwrite arbitrary files, causing denial of service.

Vulnerability

The vulnerability resides in the DiffPreviewPost handler in Gogs (internal/route/repo/editor.go). When an authorized user sends a POST request to /:user/:repo/_preview/:branch/:path_to_file, the treePath parameter is taken directly from the URL without sanitization. This value is then passed to GetDiffPreview, which writes the diff output to a path derived from treePath. By supplying a path traversal sequence (e.g., ../), an attacker can bypass the intended repository directory and write the diff result to an arbitrary location on the filesystem. Affected versions are those prior to the fix (commit b7372b1f32cd0bb40984debfb049e3fc04efaee4). [1][2]

Exploitation

An attacker must be an authorized user of the Gogs instance (i.e., have an account and be logged in). The attacker crafts a POST request to the preview endpoint with a :path_to_file value that includes path traversal components (e.g., ../../etc/passwd). The TreeEntry check is bypassed because the attacker can point to an existing file in the repository that matches the traversal path (e.g., by using a symlink or by ensuring the path resolves to an existing file). The GetDiffPreview function then writes the diff output to the attacker-controlled path, overwriting the target file. [1][2]

Impact

Successful exploitation allows an authorized user to overwrite arbitrary files on the server filesystem, leading to a denial of service (DoS). The attacker can overwrite critical system or application files, potentially causing the Gogs service to crash or become unavailable. No code execution or data disclosure is reported; the impact is limited to DoS. [1][2]

Mitigation

The fix is available in the Gogs repository at commit b7372b1f32cd0bb40984debfb049e3fc04efaee4. The recommended change is to replace the direct use of treePath with the sanitized entry variable and to use the pathutil.Clean function instead of path.Clean from the standard library. Users should update to a version that includes this commit or apply the patch manually. No workaround is provided. [1][2]

References
  1. Overwriting critical files results in a denial of service
  2. CVE-2026-52797 - GitHub Advisory Database

AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input sanitization on the `treePath` parameter allows an authenticated user to inject a `--output=<file>` argument into the `git diff` command, enabling arbitrary file overwrite."

Attack vector

An authenticated user sends a POST request to `/:user/:repo/_preview/:branch/:path_to_file` with a crafted `:path_to_file` value such as `--output=/../data/gogs.db`. The `TreeEntry` function's `path.Clean` call transforms this payload into a form that passes the existence check (by creating a matching directory/file in the repo), and the unsanitized value is then passed to `git diff --output=/../data/gogs.db`, which overwrites the Gogs database file with diff garbage, causing a denial of service [ref_id=1].

Affected code

The flaw is in `internal/route/repo/editor.go` in the `DiffPreviewPost` handler. The user-supplied `treePath` from the URL parameter `:path_to_file` is passed directly to `GetDiffPreview` without sanitization, while the `TreeEntry` check uses `path.Clean` which can be tricked into preserving a `--output=...` payload.

What the fix does

The advisory recommends two changes at `internal/route/repo/editor.go` line 307: (1) use the already-validated `entry` variable instead of the raw `treePath` when calling `GetDiffPreview`, and (2) replace `path.Clean` with the project's own `pathutil.Clean` function to prevent the `--output=...` bypass. This ensures only a known-good repository path reaches the `git diff` command, blocking arbitrary file writes.

Preconditions

  • authThe attacker must be an authenticated user of the Gogs instance.
  • inputThe attacker must have a repository where they can create a directory and file matching the payload path.

Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.