Gogs has released a critical security patch to address a zero-day argument injection vulnerability affecting all versions up to 0.14.2 and 0.15.0+dev. Discovered by Rapid7 researcher Jonah Burgess, the flaw allows authenticated attackers to execute remote code, access private repositories, and steal credentials. Because Gogs default configurations often allow open registration, unauthenticated actors can simply create an account to initiate the exploit chain.
The vulnerability is located within the Merge() code path and is specifically exploitable when rebase merging is enabled. While a fix is now available in version 0.14.3, organizations unable to patch immediately are advised to disable open registration and restrict repository creation. This flaw follows a series of similar argument injection issues recently patched in the Gogs platform, highlighting a recurring attack vector for the self-hosted Git service.
Top comments (0)