DEV Community

Cover image for Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code
IntelligenceX
IntelligenceX

Posted on

Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code

A critical security flaw was found in Gogs, a well-known open-source, self-hosted Git service, and it might let authenticated users run arbitrary code on vulnerable servers that are vulnerable, yeah, basically.

The problem was given a CVSS score of 9.4, which puts it among the most severe reports for Gogs. Researchers say the weak spot can be used via Git’s “Rebase before merging” option, so attackers can slip in harmful commands while pull request work is happening, during those merge-related steps.

From what they describe, the attacker only needs to have a real, valid user account. And in default Gogs configurations, regular users can make their own repositories, switch on rebase merging, and then actually exploit the bug, all of that without administrator privileges, and also without needing any special clicks or cooperation from other people.

The root cause seems to be how Git treats the --exec option when rebase operations occur. If an attacker crafts a malicious branch name, they can end up injecting commands that then get executed on the underlying server, once the rebase process starts running. In practice, this turns into remote code execution on the host.

Researchers also caution that if someone exploits it successfully, the fallout could be pretty nasty. For example, attackers might access hosted repositories, pull out sensitive credentials, pivot across internal networks, and possibly take over other systems that are connected to that same server, later on.

This is especially worrying for orgs running shared Gogs instances with multiple people using the platform at the same time. With a successful attempt, private repositories belonging to other users can become exposed, and that becomes a real cross-tenant security problem.

When disclosure happened, the issue reportedly stayed unpatched, so administrators were left relying on short-term mitigation steps, kind of like band-aid solutions. Security experts say to disable public user registration, tighten who can create repositories, and go back through the repositories where rebase merging is switched on, to double-check what’s exposed.

Researchers also estimate that over a thousand internet-facing Gogs instances might already be reachable from the outside, yet the actual count is probably far above that once private setups and internal deployments get included too.

This incident is just another signal that development platforms and source code management systems keep looking like easy targets for criminals, largely because the sensitive data and access privileges they hold can be very valuable.

Organizations with a cybersecurity focus, like IntelligenceX , keep stressing secure software development habits, better access control management, and ongoing vulnerability monitoring, as key protections against attacks aimed at development infrastructure.

Top comments (0)