Gogs RCE: The Symlink That Killed the Patch (CVE-2024-56731)
Vulnerability ID: CVE-2024-56731
CVSS Score: 10.0
Published: 2025-06-24
A critical Remote Command Execution vulnerability in Gogs versions prior to 0.13.3. This flaw is a bypass of a previous fix (CVE-2024-39931), allowing authenticated users to overwrite internal Git files via symbolic links.
TL;DR
Gogs tried to stop hackers from deleting .git files by checking file names. Hackers bypassed this by using symbolic links (e.g., evil_link -> .git/config). By editing the symlink via the Web UI, attackers can overwrite Git hooks and achieve full RCE. CVSS 10.0.
⚠️ Exploit Status: POC
Technical Details
- CWE: CWE-59 (Link Following)
- Attack Vector: Network (Authenticated)
- CVSS: 10.0 (Critical)
- Impact: Remote Command Execution (RCE)
- Privileges: Low (Any authenticated user)
- Fix Version: 0.13.3
Affected Systems
- Gogs (Self-Hosted Git Service)
-
Gogs: < 0.13.3 (Fixed in:
0.13.3)
Code Analysis
Commit: 1cba9bc
Prevent modification of symbolic links in repo file handling
func UpdateRepoFile(...) {
+ info, err := os.Lstat(filePath)
+ if err == nil && osutil.IsSymlink(filePath) {
+ return nil, errors.New("cannot modify symbolic link")
+ }
Exploit Details
- GitHub: Discussion regarding the symlink bypass and initial disclosure
Mitigation Strategies
- Upgrade Gogs immediately
- Disable open user registration
- Scan repositories for suspicious symlinks
Remediation Steps:
- Stop the Gogs service.
- Download the binary for version 0.13.3 or later.
- Replace the existing binary.
- Restart the service.
- Verify the version in the footer of the web UI.
References
Read the full report for CVE-2024-56731 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)