How to find Gogs installations on your network

Latest Gogs vulnerability: #

Rapid7 has disclosed that certain versions of Gogs are affected by an argument injection vulnerability within the pull request "Rebase before merging" style merge handling. The flaw is caused by a malicious pull request branch name being passed directly to the git rebase command without a -- delimiter to indicate the end of options. As a result, the branch name is interpreted as the --exec flag. Successful exploitation allows a remote, authenticated attacker to achieve remote code execution (RCE) as the Gogs server process user via a crafted pull request. Because Gogs ships with open registration enabled by default (DISABLE_REGISTRATION = false), the authentication requirement poses less of a barrier in default configurations. This vulnerability does not currently have a CVE ID assigned, and the vendor has not released a patch.

The following versions are affected

• Gogs: Versions 0.14.2 and 0.15.0+dev (commit b53d3162)
• Note: Prior versions supporting the "Rebase before merging" merge style are likely to be vulnerable as well.

What is Gogs?
#

Gogs is an open-source, self-hosted Git repository management system written in Go that provides a web-based interface for version control with minimal hardware resource requirements.

What is the impact? #

Successful exploitation of the vulnerability would allow an attacker to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are updates or workarounds available? #

There is currently no patched version of Gogs available. To mitigate risk, immediately disable open registration (DISABLE_REGISTRATION = true) and limit the Internet exposure of any Gogs instances. If applicable, restrict user repository creation (MAX_CREATION_LIMIT = 0) to reduce the immediate attack surface.

How to find potentially vulnerable systems with runZero #

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:=Gogs AND product:=Gogs

March 2026: CVE-2026-25921 #

Gogs has disclosed that certain versions are affected by a cross-repository Large File Storage (LFS) object overwrite vulnerability due to missing content hash verification. Git LFS is an open-source extension designed to manage large files, such as audio samples, videos, and datasets, more efficiently within Git repositories. Because Gogs stores all LFS objects in a single location without repository isolation, this flaw could allow a remote, unauthenticated adversary to overwrite existing objects. The vulnerability has been designated CVE-2026-25921 and has been rated critical with a CVSS score of 9.3.

The following versions are affected

• Gogs versions prior to 0.14.2

What is the impact? #

Successful exploitation of the vulnerability enables an adversary to overwrite legitimate LFS objects with malicious content. This introduces a significant risk of a supply-chain attack; because the Gogs web interface does not present integrity warnings, users may unknowingly download and utilize compromised assets.

Are updates or workarounds available? #

Users are encouraged to update to the latest version as quickly as possible:

• Gogs upgrade to version 0.14.2 or later

How to find potentially vulnerable systems with runZero #

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:=Gogs AND product:=Gogs

December 2025: CVE-2025-8110 #

Security researchers at Wiz have reported a 0-day vulnerability in Gogs. This flaw allows remote, authenticated attackers to overwrite arbitrary files on the vulnerable system. Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code on the vulnerable system with the privileges of the Gogs server process.

This vulnerability has been assigned CVE-2025-8110 and has a CVSS score of 7.8.

Note that there is evidence that this vulnerability is being actively exploited in the wild.

The following versions are affected

• Gogs versions 0.13.3 and prior

What is the impact? #

Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are updates or workarounds available? #

There is currently no patched fixed version of Gogs available. Users are encouraged to disable auto-registration of users and avoid Internet exposure for any Gogs installations.

How to find potentially vulnerable systems with runZero #

From the Service inventory, use the following query to locate potentially vulnerable assets:

_asset.protocol:=http AND protocol:=http AND favicon.ico.image.md5:=5f5b7539f014b9996959f5dcd063d383