Critical Gogs Flaw Allows Silent Overwriting of LFS Objects

Critical Gogs Flaw Allows Silent Overwriting of LFS Objects

Posted on By CWS

A critical vulnerability has been identified in Gogs, a widely used open-source Git service, which permits attackers to undetectably overwrite Large File Storage (LFS) objects.

Understanding the Gogs Vulnerability

Labeled as CVE-2026-25921, this high-severity flaw has been assigned a perfect CVSS 3.1 score of 10.0, indicating its potential to facilitate severe software supply-chain attacks. Currently, it impacts Gogs versions 0.14.1 and earlier, with no official fix released yet.

If this vulnerability is exploited, attackers can alter essential binaries, datasets, or software builds within any repository on a shared server, all without generating any alerts.

The Root Cause Explained

The critical issue arises from two main design weaknesses in Gogs’ LFS architecture:

  • Lack of Storage Isolation: All LFS objects are stored in a single, shared location, without repository-specific isolation.
  • Missing Hash Verification: Gogs fails to verify if the uploaded file’s content matches its stated SHA-256 hash.

These weaknesses mean that an attacker only requires knowledge of a target file’s hash to upload a manipulated file, such as a compromised software installer, into their repository. The server, mistaking it for a routine retry, overwrites the legitimate file with the attacker’s version.

Implications and Interim Measures

The implications of CVE-2026-25921 are severe, as the attack complexity is low, requires no special privileges, and can occur without user involvement. Legitimate users downloading the affected LFS objects may unknowingly receive tampered files, leading to potential supply-chain compromises.

In the absence of an official patch, organizations using self-hosted Gogs instances need to enforce strict security measures. This includes limiting account creation and LFS upload permissions to trusted users and implementing external scripts to periodically verify the integrity of critical LFS files.

The eventual solution from developers will necessitate strict verification of the SHA-256 hash of all uploaded LFS objects to ensure data authenticity before server storage.

Stay informed with daily cybersecurity updates by following us on Google News, LinkedIn, and X. Contact us to feature your cybersecurity stories.

Cyber Security News Tags:, , , , , , , , , , , , ,

Related Posts

AppSuite PDF Editor Hacked to Execute Arbitrary Commands on The Infected System AppSuite PDF Editor Hacked to Execute Arbitrary Commands on The Infected System Cyber Security News
Hackers Hijacked 18 Very Popular npm Packages With 2 Billion Weekly Downloads Hackers Hijacked 18 Very Popular npm Packages With 2 Billion Weekly Downloads Cyber Security News
DragonForce Ransomware Group – The Rise of a Relentless Cyber Threat in 2025 DragonForce Ransomware Group – The Rise of a Relentless Cyber Threat in 2025 Cyber Security News
Multiple Exim Server Vulnerabilities Let Attackers Seize Control of the Server Multiple Exim Server Vulnerabilities Let Attackers Seize Control of the Server Cyber Security News
Critical ExifTool Vulnerability Exposes macOS to Hidden Threats Critical ExifTool Vulnerability Exposes macOS to Hidden Threats Cyber Security News
Adobe Fixes Critical Acrobat Reader Security Flaw Adobe Fixes Critical Acrobat Reader Security Flaw Cyber Security News