Critical Unpatched RCE Vulnerability in Gogs Git Service Allows Full Server Takeover
Rapid7 disclosed a critical argument injection vulnerability in Gogs that lets any authenticated user achieve remote code execution on the server, with no patch available.
Rapid7 Labs has disclosed a critical argument injection vulnerability (CWE-88) in Gogs, a popular open-source self-hosted Git service. The flaw, scored CVSSv4 9.4 (Critical), allows any authenticated user to achieve remote code execution (RCE) on the server by creating a pull request with a malicious branch name that injects the `--exec` flag into `git rebase` during the "Rebase before merging" merge operation. At the time of publication, the vendor has not released a patch, leaving thousands of internet-facing instances exposed.
The exploit requires no admin privileges and no interaction with other users; an attacker operates entirely within their own account. Since Gogs ships with open registration enabled by default and no limit on repository creation, an unauthenticated attacker can simply create an account and repository on any default-configured instance. Any registered user who creates a repo is automatically its owner. From there, enabling rebase merging is a single toggle in settings, and the entire exploit chain can be operated without interaction from any other user.
The result is arbitrary command execution as the Gogs server process user, giving the attacker the ability to compromise the server, read every repository on the instance (including other users' private repos), dump credentials (password hashes, API tokens, SSH keys, 2FA secrets), pivot to other network-accessible systems, and modify any hosted repository's code. The latest release versions at the time of research, Gogs 0.14.2 and 0.15.0+dev (commit b53d3162), were confirmed to be affected. All prior versions supporting the "Rebase before merging" style are likely vulnerable as well.
Gogs is a lightweight, self-hosted Git service written in Go. With approximately 50,000 GitHub stars and over 5,000 forks, it is one of the more popular self-hosted alternatives to GitHub, commonly deployed by companies, universities, and open-source projects. A Shodan search for `http.title:"Gogs" http.title:"Sign In"` returns 1,141 internet-facing instances at the time of publication. The real install base is much larger since most deployments sit behind VPNs or internal networks.
The vulnerability affects all supported platforms (Linux, macOS, Windows) and installation methods (pre-built binary, Docker, source). On Docker installations, the Gogs process runs as the git user (UID 1000 by default). On binary installations, the process user depends on how the administrator deployed the service (commonly git or a dedicated service account). The practical impact includes server compromise, cross-tenant data breach, credential theft, lateral movement, and supply chain attacks.
The exploit is fully automatable (a Metasploit module is provided) and runs in seconds. When the attacker creates and deletes their own repository, the only trace is an HTTP 500 in the server logs. When exploiting an existing repository, additional artifacts remain. The vulnerability was discovered by Jonah Burgess (CryptoCat), Senior Security Researcher at Rapid7, and is being disclosed in accordance with Rapid7's vulnerability disclosure policy.
Administrators of Gogs instances should immediately disable open registration if not needed, restrict repository creation to trusted users, and disable the "Rebase before merging" option on all repositories. Until a patch is released, the only complete mitigation is to disable the rebase merge style entirely or restrict access to the Gogs instance. This vulnerability highlights the risks of argument injection in Git-based applications and the challenges of securing self-hosted development platforms.
BleepingComputer reports that the newly disclosed zero-day in Gogs goes beyond the previously known authenticated argument injection, now allowing unauthenticated remote code execution via crafted HTTP requests on Internet-facing instances. No patch has been issued as of publication, and users are advised to restrict network access to their Gogs instances until a fix becomes available. This escalation in severity underscores the urgency for organizations running self-hosted Gogs to implement immediate network-level mitigations.
Rapid7 researcher Jonah Burgess (CryptoCat) publicly disclosed the flaw, tracked as CWE-88 with a CVSSv4 score of 9.4, and published a fully functional Metasploit module that automates exploitation in seconds. The vulnerability affects all Gogs versions up to 0.15.0+dev, including the latest stable release 0.14.2, and allows any authenticated user to execute arbitrary commands by crafting malicious branch names like --exec=touch${IFS}/tmp/rce_proof that are passed unsanitized to Git's rebase command. With open registration enabled by default, attackers can register an account, create a repository, and trigger the exploit without any administrative privileges or user interaction.
The new article adds specific technical details about the exploit mechanism: the vulnerability is triggered by injecting the `--exec` flag into the `git rebase` command during the 'Rebase before merging' operation via a malicious branch name. Rapid7 has released a Metasploit module automating the full exploit chain against both Linux and Windows targets, and warns that the attack leaves minimal traces (an HTTP 500 error) when the attacker creates and deletes their own repository.