DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-64175: Gogs 2FA Bypass: The Universal Skeleton Key in Your Git Server

#security #cve #cybersecurity

Gogs 2FA Bypass: The Universal Skeleton Key in Your Git Server

Vulnerability ID: CVE-2025-64175
CVSS Score: 7.7
Published: 2026-02-06

A critical logic error in the Gogs self-hosted Git service allows attackers to bypass Two-Factor Authentication (2FA) by using recovery codes belonging to a different account. If an attacker possesses a victim's primary credentials (username/password), they can successfully authenticate as the victim by supplying a recovery code generated from an account they control. This effectively neutralizes the 2FA protection layer, turning a credential leak into a full account takeover.

TL;DR

Gogs failed to verify ownership of 2FA recovery codes. An attacker with your password can log in to your account using their recovery codes. Patch to 0.13.4 immediately.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-287 (Improper Authentication)
  • CVSS v4.0: 7.7 (High)
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low (Any valid account on instance)
  • Impact: Full Account Takeover

Affected Systems

  • Gogs (Self-hosted Git Service)
  • Gogs: < 0.13.4 (Fixed in: 0.13.4)

Code Analysis

Commit: d568e04

Fix 2FA recovery code validation scope

- func UseRecoveryCode(_ int64, code string) error {
+ func (db *twoFactors) UseRecoveryCode(ctx context.Context, userID int64, code string) error {
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Theoretical: Exploit involves logging in as victim and supplying an unused recovery code generated from the attacker's own account.

Mitigation Strategies

  • Upgrade to Gogs version 0.13.4 or later immediately.
  • If upgrading is not possible, disable public user registration to limit the attacker's ability to generate valid recovery codes on the instance.
  • Rotate passwords for all users, as this exploit implies the attacker already possesses primary credentials.

Remediation Steps:

  1. Backup your Gogs database and configuration.
  2. Download the latest binary release (>= 0.13.4) from the official GitHub repository.
  3. Replace the old binary with the new one.
  4. Restart the Gogs service.
  5. Advise users to regenerate their 2FA recovery codes as a precaution.

References

Read the full report for CVE-2025-64175 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)