The widely-used self-hosted Git service, Gogs, is currently facing a severe zero-day vulnerability that poses a significant risk of remote code execution (RCE) on affected servers, according to a report by Rapid7.
Understanding the Critical Vulnerability
Identified with a CVSS score of 9.4, this critical flaw is an argument injection vulnerability that is exploitable by authenticated users. They can initiate the attack through pull requests containing malicious branch names, thus compromising the server.
In its detailed analysis, Rapid7 elaborates that the flaw involves injecting the ‘–exec’ flag into the git rebase process during the ‘Rebase before merging’ operation. This results in command execution with the same privileges as the Gogs server process user.
Typically, a standard merge combines two branch histories into a commit, while a rebase before merge applies the head branch’s changes linearly on top of the base branch. This vulnerability arises from insufficient checks during this process, allowing harmful arguments to be executed.
Exploitability and Impact
Importantly, the ‘Rebase before merging’ feature is not activated by default. However, any repository owner can enable it, and the default configuration makes any user the proprietor of their created repositories. This creates a pathway for exploitation without requiring user interaction, as the attacker can operate entirely within their own account settings.
Rapid7 warns that the default open registration and unrestricted repository creation on Gogs servers facilitate unauthenticated attackers in creating accounts and repositories on any default-configured instance. This allows them to enable rebase merging and exploit the flaw without needing additional user interaction.
The consequences of this vulnerability are severe, potentially leading to arbitrary command execution as the Gogs server process user. This could allow attackers to compromise the server, access private repositories, dump credentials, and alter hosted repository code.
Response and Mitigation
Gogs servers running on Windows, Linux, and macOS with default setups are affected, especially instances with multiple user accounts. Rapid7 has developed a Metasploit module to automate the exploit chain and released indicators of compromise (IoCs) to assist in identifying potential breaches.
The Gogs maintainers were informed of the issue in mid-March, but a patch has not yet been released. This vulnerability marks the second Gogs zero-day made public in the last six months, following a similar disclosure by Wiz in December regarding CVE-2025-8110.
The cybersecurity community remains vigilant as organizations using Gogs must implement strategies to mitigate potential exploitation until a fix is issued.
