Full Report
Gogs has patched a critical security zero-day flaw that can allow attackers to compromise Internet-facing instances and access any repositories (including private ones). [...]
Analysis Summary
# Vulnerability: Authenticated Remote Code Execution via Argument Injection in Gogs
## CVE Details
- **CVE ID**: Pending (Requested following release of version 0.14.3; GHSA-qf6p-p7ww-cwr9)
- **CVSS Score**: Not yet officially rated (Likely **Critical** 9.0-10.0 based on RCE impact)
- **CWE**: CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
## Affected Systems
- **Products**: Gogs (Go Git Service)
- **Versions**: All versions up to and including 0.14.2 and 0.15.0+dev.
- **Configurations**: Default configurations are highly vulnerable due to:
- Open registration enabled (`DISABLE_REGISTRATION = false`).
- No limit on repository creation (`MAX_CREATION_LIMIT = -1`).
## Vulnerability Description
The flaw is an argument injection vulnerability within the `Merge()` code path. It allows an authenticated user to inject malicious arguments into Git commands executed by the server. By enabling the "rebase merging" feature in a repository's settings, an attacker can manipulate Git operations to execute arbitrary commands on the underlying host operating system.
## Exploitation
- **Status**: PoC available (Publicly disclosed by Rapid7); Security researchers have warned of potential exploitation due to delay in patching.
- **Complexity**: Low
- **Attack Vector**: Network (Requires authentication; however, default settings allow self-registration).
## Impact
- **Confidentiality**: High (Access to all repositories, including private ones, and server credentials).
- **Integrity**: High (Ability to alter hosted source code and move laterally within the network).
- **Availability**: High (Full compromise of the targeted server).
## Remediation
### Patches
- **Gogs v0.14.3**: Released June 7, 2026. This version contains the fix implemented via pull request #8301.
### Workarounds
If immediate patching is not possible, apply the following changes in `app.ini`:
1. **Disable Open Registration**: Set `DISABLE_REGISTRATION = true` to prevent unauthorized account creation.
2. **Restrict Repository Creation**: Set `MAX_CREATION_LIMIT = 0` to prevent new users from creating the repositories required for the exploit chain.
3. **Audit Permissions**: Revoke write access from untrusted users on existing repositories.
## Detection
- **Indicators of Compromise**: Monitor for unusual Git command arguments (e.g., unexpected flags starting with `--`) logged by the system.
- **Audit Logs**: Review account creation logs and repository setting changes, specifically the enabling of "Rebase before merging."
- **Detection Methods**: Use file integrity monitoring (FIM) to detect unauthorized changes to source code or server configuration files.
## References
- **Vendor Release**: hxxps[://]github[.]com/gogs/gogs/releases/tag/v0.14.3
- **Researcher Disclosure (Rapid7)**: hxxps[://]www[.]rapid7[.]com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed/
- **Pull Request**: hxxps[://]github[.]com/gogs/gogs/pull/8301
- **Shadowserver Statistics**: hxxps[://]dashboard[.]shadowserver[.]org/statistics/iot-devices/time-series/?vendor=gogs